The documentation relating to introspection : https://www.keycloak.org/docs/4.8/authorization_services/#_service_protection_token_introspection
Gives the following info;
To introspect an RPT using this endpoint, you can send a request to the server as follows:
```
*curl -X POST *
- -H “Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpzZWNyZXQ=” *
- -H “Content-Type: application/x-www-form-urlencoded” *
- -d ‘token_type_hint=requesting_party_token&token=${RPT}’ *
- “http://localhost:8080/auth/realms/hello-world-authz/protocol/openid-connect/token/introspect”*
```
The request above is using HTTP BASIC and passing the client’s credentials (client ID and secret) to authenticate the client attempting to introspect the token, but you can use any other client authentication method supported by Keycloak.
I am using the Oathkeeper authenticator which only allows configuring a bearer token as authentication method when calling out to the introspection endpoint. However i do not know what scopes or config I need for the calling client to allow this to work, so far my attempts just result in an Authentication Failed message.
What scopes or other config do I need to setup.