we think we found a problem when using the token introspection endpoint with signed JWT client auth. In the JWT, audience is set to the URL of the token introspection endpoint (we use mod_auth_openidc). However, Keycloak throws an error in JWTClientAuthenticator which looks like this: Error when validating client assertion: java.lang.RuntimeException: Token audience doesn't match domain. Realm issuer is 'https://.../auth/realms/master' but audience from token is '[https:// .../auth/realms/master/protocol/openid-connect/token/introspect]' We found the description of a similar problem in KEYCLOAK-3424 for the token endpoint (see [0]). Here, JWTClientAuthenticator was adapted to accept both the issuer as well as the actual token endpoint URL as audience. Now, we are wondering whether that change missed to address the token introspection endpoint as well or whether we are doing something wrong. [0] https://issues.jboss.org/browse/KEYCLOAK-3424?focusedCommentId=13285402&a...