You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The RFC for the OAuth 2.0 Token Introspection states that the introspect endpoint MUST have some form authorization:
To prevent token scanning attacks, the endpoint MUST also require
some form of authorization to access this endpoint, such as client
authentication as described in OAuth 2.0 [RFC6749] or a separate
OAuth 2.0 access token such as the bearer token described in OAuth
2.0 Bearer Token Usage [RFC6750].
Some certified OAuth2 authorization servers have the introspect endpoint exposed on a different "internal" port (like ORY Hydra) which should be guarded by own measures. Some authorization servers use specific authorized clients for that.
Basic authorization should at least be supported.
Possible extra would be client credentials Bearer token authorization.
The text was updated successfully, but these errors were encountered:
The RFC for the OAuth 2.0 Token Introspection states that the introspect endpoint MUST have some form authorization:
Some certified OAuth2 authorization servers have the introspect endpoint exposed on a different "internal" port (like ORY Hydra) which should be guarded by own measures. Some authorization servers use specific authorized clients for that.
Basic authorization should at least be supported.
Possible extra would be client credentials Bearer token authorization.
The text was updated successfully, but these errors were encountered: