In the upcoming revision of the draft I've reworked and moved that section
[1] so that it is more focused on public clients and certificate bound
tokens (see [a]). But yes, I think it comes down to saying that a client
that is expecting to use MTLS (for whatever reason: bound tokens or client
auth
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.
Title : JWT Response for OAuth Token Introspection
Authors : Torsten Lodderstedt
