Comments Intro "about the authentication conext", not sure what this is since there is no authentication context in Oauth Use of Oauth2, mixed with use of Oauth, pick one "allows holder of a token to query" so anything/anyone that has a token can use this endpoint?
Introspection Endpoint Use of Oauth2, mixed with use of Oauth, pick one Introspection Request The endpoint SHOULD also require some form of authentication", what about some form of authorization ? Why do we have to have another endpoint that we have to manage and then have a management API draft?] Token - is this any type of token ? how does the endpoint know that it can deal with this token type? So endpoint has to try to lookup token to determine if it can maybe find out something about the token? Can the one use the authorization code or does one have to get a token first? Can I send a encrypted token and expect a proper response ? What about a Proof of Possession Token? Introspection Response What is "active" mean ? Is this up to the server to determine ? "scope OPTIONAL", is this the scope in the token or is this the scope that the introspection endpoint sources may have ? It's unclear if all these return values are from the token or from the introspection endpoint sources ? What error codes/conditions are there? Just the 400 (bad request)? Can the endpoint return a encrypted response ? What about PII such as user_id, aud ?
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth