Sure, here's a detailed example of using the

oauth2_introspection

authenticator in Ory Oathkeeper. First, you need to define an access rule in a JSON file. This rule specifies the upstream service, the match criteria (URL and methods), the authenticator to use (

oauth2_introspection

in this case), and the required scope and target audience. Here's an example:

json [   {     "id": "some-id",     "upstream": {       "url": "<http://my-backend-service>"     },     "match": {       "url": "<http://my-app/some-route>",       "methods": ["GET"]     },     "authenticators": [       {         "handler": "oauth2_introspection",         "config": {           "required_scope": ["scope-a", "scope-b"],           "target_audience": ["example_audience"]         }       }     ],     "authorizer": { "handler": "allow" },     "mutators": [{ "handler": "noop" }]   } ]

(Source: [Ory Documentation](https://www.ory.sh/docs/oathkeeper/pipeline/authn#oauth2_introspection-access-rule-example)) Then, you can test this rule by making requests to your application. If no credentials are provided, or if the provided credentials are invalid, the request will be unauthorized. If valid credentials are provided, the request will be allowed:

bash curl -X GET <http://my-app/some-route> # Response: HTTP/1.0 401 Status Unauthorized  curl -X GET -H 'Authorization: Bearer invalid-token' <http://my-app/some-route> # Response: HTTP/1.0 401 Status Unauthorized  curl -X GET -H 'Authorization: Bearer valid.access.token.from.peter' <http://my-app/some-route> # Response: HTTP/1.0 200 OK

(Source: [Ory Documentation](https://www.ory.sh/docs/oathkeeper/pipeline/authn#oauth2_introspection-access-rule-example)) In the background, the

oauth2_introspection

handler will make a request to the OAuth 2.0 Token Endpoint to check if the Bearer Token is valid. The token is considered valid if the Introspection response is HTTP 200 OK and includes

{"active":true}

in the response payload. The subject is extracted from the

username

field. For more detailed configuration options, you can refer to the [Ory Documentation](https://www.ory.sh/docs/oathkeeper/pipeline/authn#oauth2_introspection-configuration).