OIDC Introspect Endpoint is unexpectedly returning a 400

Version Affected:  All

Description:  
When sending a POST to OAuthIntrospect endpoint, it can unexpectedly return 400

Cause:  
There are many reasons for this, ultimately the IIS Server has returned a 400 as the POST does not conform to the expected format and/or content
One of the causes can be a lack of 'Audience' content, this can be seen when looking at the Debug logs for the Realm, at the time of the call to the Introspect endpoint

LogChannel="SA_DEBUG" FormatVersion="0.0.1" EventID="40999" Timestamp="2025-02-14T11:18:19.248Z" CompanyID="" ApplianceID="" Realm="" UserID="" BrowserSession="0529cbae-c97a-4639-ad9c-8c64b5769a4b" StateMachineID="" RequestID="6058b71e-0b45-4f39-a6d9-aff594e87a70" UserHostAddress="" Message="[JwtValidator].[ValidateJwt]: Exception: Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Did not match: validationParameters.ValidAudience: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' or validationParameters.ValidAudiences: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
at SecureAuth.IdentityModel.OpenIDConnect.Validators.JwtValidator.ValidateJwt(String jwt, String audience, String issuer, SecurityKey securityKey, Boolean validateLifetime)"

Resolution:  
Add valid content to the Audience(s) field of the OIDC Realm, under the Post Auth tab

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.