Skip to content

Support Bearer Token Authentication of Introspection endpoint #6422

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jzheaux opened this issue Jan 14, 2019 · 2 comments
Open

Support Bearer Token Authentication of Introspection endpoint #6422

jzheaux opened this issue Jan 14, 2019 · 2 comments
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Jan 14, 2019
edited
Loading

Related to #5200 and #6352 (comment)

The OAuth 2.0 Introspection Response RFC allows a resource server to use a bearer token as authentication for an introspection request:

To prevent token scanning attacks, the endpoint MUST also require
some form of authorization to access this endpoint, such as client
authentication as described in OAuth 2.0 [RFC6749] or a separate
OAuth 2.0 access token such as the bearer token described in OAuth
2.0 Bearer Token Usage [RFC6750]. The methods of managing and
validating these authentication credentials are out of scope of this
specification.
@jzheaux jzheaux added the in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) label Jan 14, 2019
@jzheaux jzheaux added this to the 5.2.0 milestone Jan 14, 2019
@jzheaux jzheaux mentioned this issue Jan 14, 2019
Merged
@mbhave mbhave mentioned this issue May 31, 2019
Open
@jzheaux jzheaux modified the milestones: 5.2.0, 5.3.x Sep 13, 2019
@jgrandja
Copy link
Contributor

@jzheaux This issue is quite old. Is it still valid?

@jzheaux
Copy link
Contributor Author

jzheaux commented May 19, 2021

I've added some more detail to clarify that this is a currently unimplemented feature related to the introspection RFC.

@jzheaux jzheaux modified the milestones: 5.3.x, General Backlog May 19, 2021
@jzheaux jzheaux added the type: enhancement A general enhancement label May 19, 2021
@jgrandja jgrandja removed this from the General Backlog milestone Dec 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jzheaux @jgrandja