Currently no authentication is provided when oauth2 provider sends requests to introspect token (for example when calling tokeninfo/ endpoint). As suggested buy common best practices for Oauth2 an authentication is highly encuraged to reduce the exposure to attacks exposure and prevent user private data leakage. The proposal is to add an auth header inside the requests with basic auth encoding of the client is and client secret: base64(client_id:client_secret) This solution will make ti compatible with several oauths/oidc backends (like django-oidc-provider( which expects this header to allow the request. |