According to draft-ietf-oauth-mtls-14 (https://tools.ietf.org/html/draft-ietf-oauth-mtls-14) the introspect endpoint MUST via mTLS as described in the draft.
"This document describes an additional
mechanism of client authentication utilizing mutual TLS certificate-
based authentication, which provides better security characteristics
than shared secrets. While [RFC6749] documents client authentication
for requests to the token endpoint, extensions to OAuth 2.0 (such as
Introspection [RFC7662], Revocation [RFC7009], and the Backchannel
Authentication Endpoint in [OpenID.CIBA]) define endpoints that also
utilize client authentication and the mutual TLS methods defined
herein are applicable to those endpoints as well."
Details steps outlining how to recreate the issue (remove this text)
- Register an OAuth2 client "RS" with a certificate
- Obtain an access_token (AT)
- RS validated AT at introspect as eg
curl -X POST \
—header "X-mtlsCertAuth: <lots-of-funny-chars>" \