unable to Introspect tokens if the issued host is different from the Introspect host

[wgarunap]

Describe the bug
rs.Introspect method inside req is created to inspect the token and host of this request is always be the host of Introspect endpoint host. As of my understanding token issued host and Introspect endpoint can be different in this case token validation will fail.

To Reproduce

1. Create a access token for different host from Introspect url host.
2. try to introspect the token

This will always fail cause token issued host and the introspect different.

Expected behavior
introspect method should allow req host changes as of my understanding.

I am pretty new to this and maybe this is not a bug rather a question.

[fforootd]

Hi @wgarunap

Can you please elaborate a little more in which way you are using our library?

The current implementation of the library should already allow the introspect and token urls to differ.

@livio-a correct me if I am wrong here 😁

[wgarunap]

Hi @fforootd

Assume token is issued for xyz.com host and my authentication server is hosted in auth.com, now when user send a request with a generated token from xyz.com and if I Introspect the token from backend this will always fail.

Reason: Introspect req doesn't know the issued host. cause request is generated inside the Introspect method.

[fforootd]

If I understand you correctly your backend (Resource Server) tries to send a token to the introspect endpoint of auth0, right? In this case our library should not really care about the content of the token.

As seen here the library uses the inputs provided through the configuration with tokenURL and introspectURL. This is where you can configure those endpoints.
You can also use the dynamic configuration

Can you provide us more insights?