[SalesForce] oAuth – Introspection endpoint says a valid access token is inactive

I'm new to salesforce and I'm trying to obtain a access token with password grant,

I can successfully obtain the access token:

Request:

    POST /services/oauth2/token HTTP/1.1
    Host: .....my.salesforce.com
    Content-Type: application/x-www-form-urlencoded
    grant_type=password
&client_id=MY_CLIENT_ID
&client_secret=MY_CLIENT_SECRET
&username=some_email
&password=some_password

Response

{
    "access_token": "some_token",
    "instance_url": "https://......my.salesforce.com",
    "id": "https://test.salesforce.com/id/00D260000001G7lEAE/00526000004wk0wAAA",
    "token_type": "Bearer",
    "issued_at": "1589009375588",
    "signature": "Q9Au4839PUdEfCamO7Qvjereo9i+kjimpbR3tfVAeVw="
}

However when I introspect the access token

            POST /services/oauth2/introspect HTTP/1.1
            Host: ......my.salesforce.com
            Content-Type: application/x-www-form-urlencoded
            token=some_token
&token_type_hint=access_token
&client_id=MY_CLIENT_ID
&client_secret=MY_CLIENT_SECRET

Introspection response

{
    "active": false
}

Why the token is not active?

Best Answer

The response of {"active": false} is only allowed in very specific context. From oAuth Introspection spec (RFC 7662):

If the introspection call is properly authorized but the token is not active, does not exist on this server, or the protected resource is not allowed to introspect this particular token, then the authorization server MUST return an introspection response with the "active" field set to "false".

Even though one can't verify with certainty from merely reading your question, in your case it appears that the call is properly authorized, the token is active, it does exist on this server. That leaves the possibility of protected resource not being allowed to introspect this particular token. Indeed, the introspection privilege is the root cause of this issue.

In your connected app, if you select Introspect All Tokens, you'll see a valid response:

{
"active": true,
"scope": null,
"client_id": null,
"username": "foo@bar.com",
"sub": "https://test.salesforce.com/id/00D../005..",
"token_type": "sid",
"session_type": "Oauth2",
"exp": ...,
"iat": ...,
"nbf": ...
}

SF doc does say that "By default, all connected apps can introspect their own tokens" and (presumably) this token was issued by this connected app. If the token was issued by the connected app in an org different from one that was doing the introspection, the requirement to grant introspection privileges by checking this option on the connected app would have been a fair ask. With the token being issued by the same app in the same org, the need to select Introspect All Tokens is either a documentation and/or implementation bug.