Hi Ben, I saw your question and by coincidence i had just been doing some reading in RFC7662. Maybe this helps.
Could you give me a pointer where in the text it says that if "active" is false, no other claims are present? ("active" only appears three times, but none of them seem to say this.) https://tools.ietf.org/html/rfc7662#page-12 says: To avoid disclosing the internal state of the authorization server, an introspection response for an inactive token SHOULD NOT contain any additional claims beyond the required "active" claim (with its value set to "falseā). Regards, jaap Francke
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth