Understood
On Thu, Mar 14, 2024 at 9:58 PM Justin Richer wrote:
> While I don’t have an answer for the question asked, I do want to note
> that in order to do a proper validation, the introspection request would
> have to include the values of the DPoP proof, but also the expected HTM and
> HTU
While I don’t have an answer for the question asked, I do want to note that in
order to do a proper validation, the introspection request would have to
include the values of the DPoP proof, but also the expected HTM and HTU values
from the RS, as the AS would not know these directly.
— Justin
Hey
I was reading over RFC 9449 and was surprised that introspection did not
take the DPoP header so that the introspection endpoint could do the check
on the DPoP proof rather than forcing the Resource Server to do it.