Re: [keycloak-user] Issue with OAuth token introspection

Hello All, I am having an issue with OAuth token introspection. Our Keycloak service is accessible with two different host names. For example access-external.naidm.com & acess-internal.naidm.com As an end user when I am obtaining the OAuth token through access-external.naidm.com and passing it to the resource server and resource server trying to inspect the token through access-internal.naidm.com token introspection is failing and we are always getting {"active": false} irrespective of whether issued token is valid or not. If we try to validate the OAuth token through access-external.naimd.com endpoint introspection is succeeding. So we arrived at a conclusion that same endpoint (with same FQDN) need to be used for obtaining and introspecting an OAuth token. Also, we noticed that tokens issued over HTTPS protocol can't be validated over HTTP protocol and vice versa. We are not concerned about HTTP but we are concerned about the why introspection is failing with different FQDN end points. BTW, we are using Keycloak 3.1 CR1. Any thoughts on why Keycloak behaving this way? Is there any way we can change this behavior? Please share your thoughts on this. - J