[GH-ISSUE #8267] oauth2Introspect returns {active: false} when introspecting client differs from token-issuing client #28360

New Issue

GiteaMirror · 2026-04-17T19:47:16-05:00

GiteaMirror commented

2026-04-17 19:47:16 -05:00

Originally created by @DibyodyutiMondal on GitHub (Mar 1, 2026).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/8267

Originally assigned to: @Paola3stefania on GitHub.

Is this suited for github?

Yes, this is suited for github

The /oauth2/introspect endpoint returns {active: false} when the client_id used to authenticate the introspection request differs from the client_id that issued
the token (azp for JWTs, clientId for opaque tokens). This makes it impossible to implement a standard resource server pattern where a frontend client obtains an
access token and a separate API/resource server validates it using its own credentials.

Describe the solution you'd like

Remove or relax the azp !== clientId / accessToken.clientId !== clientId checks in introspect.ts. RFC 7662 §2.1 only requires the introspecting party to be
authenticated — it does not require it to be the same client that issued the token. The azp/client_id field is already returned in the response so callers can inspect
it themselves.

Optionally, make strict same-client enforcement opt-in via something like opts.strictClientIntrospection.

Describe alternatives you've considered

Calling /oauth2/userinfo instead — works since it skips the clientId check, but requires openid scope and is semantically wrong for API token validation.
Using the token-issuing client's credentials for introspection — not viable when the resource server doesn't have access to the frontend client's secret.

Additional context

The relevant checks in packages/oauth-provider/src/introspect.ts:

// JWT tokens
if (clientId && jwtPayload.azp !== clientId) {
    return { active: false };
}

// Opaque tokens
if (clientId && accessToken.clientId !== clientId) {
    return { active: false };
}

RFC 7662 reference: https://datatracker.ietf.org/doc/html/rfc7662#section-2.1

Originally created by @DibyodyutiMondal on GitHub (Mar 1, 2026). Original GitHub issue: https://github.com/better-auth/better-auth/issues/8267 Originally assigned to: @Paola3stefania on GitHub. ### Is this suited for github? - [x] Yes, this is suited for github ### Is your feature request related to a problem? Please describe. The `/oauth2/introspect` endpoint returns `{active: false}` when the `client_id` used to authenticate the introspection request differs from the `client_id` that issued the token (`azp` for JWTs, `clientId` for opaque tokens). This makes it impossible to implement a standard resource server pattern where a frontend client obtains an access token and a separate API/resource server validates it using its own credentials. ### Describe the solution you'd like Remove or relax the `azp !== clientId` / `accessToken.clientId !== clientId` checks in `introspect.ts`. RFC 7662 §2.1 only requires the introspecting party to be authenticated — it does not require it to be the same client that issued the token. The `azp`/`client_id` field is already returned in the response so callers can inspect it themselves. Optionally, make strict same-client enforcement opt-in via something like `opts.strictClientIntrospection`. ### Describe alternatives you've considered - Calling `/oauth2/userinfo` instead — works since it skips the `clientId` check, but requires `openid` scope and is semantically wrong for API token validation. - Using the token-issuing client's credentials for introspection — not viable when the resource server doesn't have access to the frontend client's secret. ### Additional context The relevant checks in `packages/oauth-provider/src/introspect.ts`: ```ts // JWT tokens if (clientId && jwtPayload.azp !== clientId) { return { active: false }; } // Opaque tokens if (clientId && accessToken.clientId !== clientId) { return { active: false }; } ``` RFC 7662 reference: https://datatracker.ietf.org/doc/html/rfc7662#section-2.1

GiteaMirror added the identity label 2026-04-17 19:47:16 -05:00

Sign in to join this conversation.

Branches Tags

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#28360