Access token status is always inactive
š¬Self-hostedāQuestionšOIDCā
Solved
I am creating a self hosted login UI with OIDC and proxying all Zitadel requests through my own backend server.
I am following the documentation, but hitting an interesting issue that is most likely something to do with how I've configured things, but I've hit a wall.
I am able to complete the authorization flow and receive back an access and identity token via authorization_code grant.
However, when I take the returned token and pass it to the introspection endpoint (not proxied through my server), I always get a response of "{ "active": false }.
I can see in the Zitadel error logs the following message that shows whats going wrong:
What I don't understand is why there's an issuer mismatch. My Zitadel instance is running on port 8080.
Querying
http://localhost:8080/.well-known/openid-configuration
Does give:
How can I fix this so that the issuer on the token returned from the authorization_code flow correctly matches what Zitadel is expecting for the introspection endpoint?
This is a user agent application and I'm using react-oidc-context on the frontend.
I am following the documentation, but hitting an interesting issue that is most likely something to do with how I've configured things, but I've hit a wall.
I am able to complete the authorization flow and receive back an access and identity token via authorization_code grant.
However, when I take the returned token and pass it to the introspection endpoint (not proxied through my server), I always get a response of "{ "active": false }.
I can see in the Zitadel error logs the following message that shows whats going wrong:
time=2025-12-18T03:47:39.270Z level=INFO msg="oidc introspection" err="ID=OIDC-Eib8e Message=token is not valid or has expired Parent=(issuer does not match: Expected: http://localhost:8080, got: http://localhost)"time=2025-12-18T03:47:39.270Z level=INFO msg="oidc introspection" err="ID=OIDC-Eib8e Message=token is not valid or has expired Parent=(issuer does not match: Expected: http://localhost:8080, got: http://localhost)"What I don't understand is why there's an issuer mismatch. My Zitadel instance is running on port 8080.
Querying
http://localhost:8080/.well-known/openid-configuration
Does give:
"issuer":"http://localhost:8080""issuer":"http://localhost:8080"How can I fix this so that the issuer on the token returned from the authorization_code flow correctly matches what Zitadel is expecting for the introspection endpoint?
This is a user agent application and I'm using react-oidc-context on the frontend.
