keycloak + Kong API Gateway

Question

We are using keycloak to handle authentication (client/secret) in our API Gateway.

The Kong api service uses konnect-managed-plugin to refer to keycloak to authenicate client credentials and return a bearer token.

Future calls to other endpoints use oauth2-introspection to verify the bearer token via keycloak introspection

I almost have this working however, when I authenticate via Kong api gateway, it returns a bearer token, but this token fails introspection.

If I auth straight to keycloak, the bearer token works for introspection.

eg

Token from: http://kongapigateway.domain/getOAuthToken

• NOTE: We have not yet set up ssl on the kong api gateway

Returns:

{"access_token":"ey..ZiUQyw","expires_in":900,"refresh_expires_in":0,"token_type":"Bearer","not-before-policy":0,"scope":"email profile"}

Calling api endpoint in kong that uses introspection fails: http://kongapigateway.domain/bookings

{
    "error_description": "The access token is invalid or has expired",
    "error": "invalid_token"
}

Direct call to keycloak introspection also fails: https://keycloak.domain/auth/realms/{Realms}/protocol/openid-connect/token/introspect

{
    "active": false
}

However if I get token direct from keycloak server: https://keycloak.domain/auth/realms/{Realms}/protocol/openid-connect/token

{"access_token":"eyJhb...4lT8w","expires_in":900,"refresh_expires_in":0,"token_type":"Bearer","not-before-policy":0,"scope":"email profile"}

The token works for both endpoints: http://kongapigateway.domain/bookings and https://keycloak.domain/auth/realms/{Realms}/protocol/openid-connect/token/introspect

So why doesn't the introspection work for the token returned in the first scenario