Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-8983

introspect endpoint shouldn't be limited to the same client as token

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.0.0
    • Fix Version/s: 13.5.2, 14.0.0
    • Component/s: oauth2
    • Labels:
    • Support Ticket IDs:

      Description

      Current OAuth2 introspect endpoint will only return token information if the request was coming from the same client as the one used for getting token.

      The RFC (http://tools.ietf.org/html/rfc2119) states /introspection endpoint "MAY" allow different client to introspect token information and it will be more useful for users if this endpoint can be used by different clients.

      A single piece of software acting as both a client and a protected resource MAY reuse the same credentials between the token endpoint and the introspection endpoint, though doing so potentially conflates the activities of the client and protected resource portions of the software and the authorization server MAY require separate credentials for each mode.
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                joe.bandenburg Joe Bandenburg [X] (Inactive)
                Reporter:
                sachiko Sachiko Wallace
              • Votes:
                6 Vote for this issue
                Watchers:
                21 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: