Hi everyone, I've spent a long time looking into an issue that's popped up recently on our Login service, where going through the OAuth2 flow with Ory Hydra results in the user receiving an opaque Access Token as expected, but when trying introspect this (either manually through Insomnia, or through the SDK used in our middleware) we get an array of false/null values, like the following:

#container: array:14 [
    "active" => false
    "aud" => null
    "clientId" => null
    "exp" => null
    "ext" => null
    "iat" => null
    "iss" => null
    "nbf" => null
    "obfuscatedSubject" => null
    "scope" => null
    "sub" => null
    "tokenType" => null
    "tokenUse" => null
    "username" => null
  ]

I understand this is the default response when a non-existent opaque token is sent to the introspect endpoint, but I've double checked countless times and it's for sure the token we received from Hydra. The client being used has the following configuration, which result in a functioning system a few weeks ago:

{
			"client_name": "ClientName",
				"redirect_uris": [
						"<http://127.0.0.1:3001/callback>"
				],
				"grant_types": [
						"authorization_code",
						"refresh_token",
				],
				"response_types": [
					"code",
					"id_token",
				],
				"scope": "offline_access offline openid",
				"audience": [],
				"owner": "",
				"policy_uri": "",
				"allowed_cors_origins": [
						"<http://127.0.0.1:3001>",
						"<http://127.0.0.1:5173>"
				],
				"tos_uri": "",
				"client_uri": "",
				"logo_uri": "",
				"contacts": [],
				"client_secret_expires_at": 0,
				"subject_type": "public",
				"jwks": {},
				"token_endpoint_auth_method": "client_secret_basic",
				"userinfo_signed_response_alg": "none",
				"created_at": "2023-10-23T12:45:50Z",
				"updated_at": "2023-10-23T12:45:49.702943Z",
				"metadata": {},
				"skip_consent": false,
				"authorization_code_grant_access_token_lifespan": null,
				"authorization_code_grant_id_token_lifespan": null,
				"authorization_code_grant_refresh_token_lifespan": null,
				"client_credentials_grant_access_token_lifespan": null,
				"implicit_grant_access_token_lifespan": null,
				"implicit_grant_id_token_lifespan": null,
				"jwt_bearer_grant_access_token_lifespan": null,
				"refresh_token_grant_id_token_lifespan": null,
				"refresh_token_grant_access_token_lifespan": null,
				"refresh_token_grant_refresh_token_lifespan": null
		}

My dockerised Hydra gives the following Logs when a request to this introspect endpoint is made:

2024-06-03 14:51:26 time=2024-06-03T13:51:26Z level=info msg=started handling request http_request=map[headers:map[accept:application/json content-length:100 content-type:application/x-www-form-urlencoded user-agent:OpenAPI-Generator/1.0.0/PHP] host:host.docker.internal:5445 method:POST path:/admin/oauth2/introspect query:<nil> remote:192.168.65.1:53727 scheme:http]

2024-06-03 14:51:26 time=2024-06-03T13:51:26Z level=info msg=access denied audience=application error=map[debug:not_found message:request_unauthorized reason:Check that you provided valid credentials in the right format. status:Unauthorized status_code:401] http_request=map[headers:map[accept:application/json content-length:100 content-type:application/x-www-form-urlencoded user-agent:OpenAPI-Generator/1.0.0/PHP] host:host.docker.internal:5445 method:POST path:/admin/oauth2/introspect query:<nil> remote:192.168.65.1:53727 scheme:http] service_name=Ory Hydra service_version=v2.2.0-rc.3

2024-06-03 14:51:26 time=2024-06-03T13:51:26Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json content-length:100 content-type:application/x-www-form-urlencoded user-agent:OpenAPI-Generator/1.0.0/PHP] host:host.docker.internal:5445 method:POST path:/admin/oauth2/introspect query:<nil> remote:192.168.65.1:53727 scheme:http] http_response=map[headers:map[cache-control:no-store content-type:application/json;charset=UTF-8 pragma:no-cache vary:Origin] size:17 status:200 text_status:OK took:1.4455ms]

The second message there asks for "valid credentials" in the right format, but I'm not sure what these credentials are or how to send them. Does anyone know what's going wrong? And why this issue has only popped up recently?

why this issue has only popped up recently?

Did you upgrade your Hydra version or made any changes there?

We're pulling and using the latest version, and I did notice in the releases section of 2.2.0 that the following is mentioned in the bug fixes: "Return empty slice if requested_scope or audience is null (#3711) (65165e7)", which might be the issue. I've tried adding a few different values for these fields but I'm not sure I'm doing it in the right place. I've added several

<http://127.0.0.1>:XXXX

values to audience and tried a few different options in the

scope

section of our client configuration but nothing seems to help. Is there somewhere else I need to be setting these?