Oauth2 token Introspection endpoint

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Oauth2 token Introspection endpoint

Robert Jackson
Is there documentation on the security for this endpoint?

The authentication is by client & secret

1.) Is the requirement that the endpoint authentication (basic authorization) must match the same client as the access_token was issued to?  This seems to be the case as calling it and authenticating with a different client/agent & secret just returns active: false every time

2.) I have been unable to authenticate to this endpoint with a client/secret for an agent that is not in the root realm



CONFIDENTIALITY NOTICE: This e-mail message, including any attachments hereto, is for the sole use of the intended recipient(s) and may contain confidential and/or proprietary information. 
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]