Hey everyone, we've been troubleshooting an issue with OAuth2 token introspection in our Oathkeeper setup. Thought I'd share what we found in case anyone runs into similar problems. Oathkeeper is trying to connect to

localhost:4445

for OAuth2 token introspection instead of using the container name

hydra:4445

, despite the configuration explicitly specifying the correct URL. Error Message:

Post "<http://localhost:4445/admin/oauth2/introspect>": dial tcp [::1]:4445: connect: connection refused

Full Logs - 
level=info msg=started handling request http_request=map[headers:map[accept:application/json, text/plain, */* accept-encoding:gzip, compress, deflate, br authorization:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". content-length:6750 content-type:application/x-www-form-urlencoded request-start-time:1744213967327 user-agent:bruno-runtime/2.1.0 x-forwarded-for:172.19.0.1 x-forwarded-host:localhost:8080 x-forwarded-proto:http] host:localhost:8080 method:POST path:/api/graphql query:<nil> remote:172.19.0.2:54258 scheme:http]
time=2025-04-09T15:52:47Z level=warning msg=The authentication handler encountered an error audience=application authentication_handler=oauth2_introspection error=map[message:Post "<http://localhost:4445/admin/oauth2/introspect>": dial tcp [::1]:4445: connect: connection refused] granted=false http_host=localhost:8080 http_method=POST http_url=<http://localhost:8080/api/graphql> http_user_agent=bruno-runtime/2.1.0 reason_id=authentication_handler_error rule_id=backend:protected service_name=ORY Oathkeeper service_version=v0.40.4
time=2025-04-09T15:52:47Z level=warning msg=Access request denied audience=application error=map[message:Post "<http://localhost:4445/admin/oauth2/introspect>": dial tcp [::1]:4445: connect: connection refused] granted=false http_host=localhost:8080 http_method=POST http_url=<http://localhost:8080/api/graphql> http_user_agent=bruno-runtime/2.1.0 service_name=ORY Oathkeeper service_version=v0.40.4
time=2025-04-09T15:52:47Z level=error msg=An error occurred while handling a request audience=application error=map[message:Post "<http://localhost:4445/admin/oauth2/introspect>": dial tcp [::1]:4445: connect: connection refused] http_request=map[headers:map[accept:application/json, text/plain, */* accept-encoding:gzip, compress, deflate, br authorization:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". content-length:6750 content-type:application/x-www-form-urlencoded request-start-time:1744213967327 user-agent:bruno-runtime/2.1.0] host:localhost:8080 method:POST path:/api/graphql query:<nil> remote:172.19.0.2:54258 scheme:http] http_response=map[status_code:500] service_name=ORY Oathkeeper service_version=v0.40.

Our Setup: Docker Compose with Oathkeeper, Hydra, and Kratos containers Proper network configuration (containers can ping each other by name) OAuth2 introspection enabled in Oathkeeper config Configuration: In our oathkeeper.yml:

yaml


authenticators:
  oauth2_introspection:
    enabled: true
    config:
      introspection_url: <http://hydra:4445/oauth2/introspect>

In our access-rules.yml:

yaml


- id: "server:protected"
  upstream:
    preserve_host: true
    url: "<http://server:3030>"
    strip_path: /api
  match:
    url: "<http://localhost:8080/api/><$|graphql>"
    methods:
      - GET
      - POST
  authenticators:
    - handler: oauth2_introspection
    - handler: cookie_session
  # ...

Troubleshooting Steps: 1. Verified DNS resolution works (Oathkeeper can resolve Hydra's IP) 2. Verified direct connection works (

wget -O- <http://hydra:4445/health/ready>

returns 200) 3. Set environment variables explicitly in Docker Compose 4. Checked all configuration files for hardcoded values Any suggestions on this would be really helpful!