It seems like token introspection for pairwise tokens report access tokens with a pairwise sub as inactive when they're actually active. User lookup is using the sub instead of the session. It's a quick fix. Should I JIRA it and submit a PR? Martin