Public clients can use the token-based auth mechanism, can’t they? If you don’t have some form of authentication on the introspection endpoint, you end up with a way for people to anonymously and programmatically fish for valid token values.
— Justin > On Jul 19, 2015, at 6:30 AM, Aaron Parecki <aa...@parecki.com> wrote: > > The introspection draft states that the introspection endpoint MUST require > authentication of clients. It mentions either client authentication > (id+secret) or a separate bearer token. > > How are public clients expected to use the token introspection endpoint? I > didn't see a note in the document about that at all. > > ---- > Aaron Parecki > aaronparecki.com <http://aaronparecki.com/> > @aaronpk <http://twitter.com/aaronpk> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
