Token Introspection security check

Question

Token Introspection security check

Closed this issue 3 years ago · 3 comments

We should add: the AS MUST validate that the token is appropriate for the RS that presented it, and return an error otherwise.

Answer 1 · 2021-05-10T15:42:56.000Z

In OAuth token introspection, the AS doesn't return an error in this stated case -- it simply says the token presented is not active, in order to prevent information leakage to a nosy RS.

Answer 2 · 2021-05-11T10:41:42.000Z

@jricher: I don't understand your argument about a "nosy RS". The text states:

The RS signs the request with its own key

As a consequence, if the AS does not recognize the signature, it can return a error stating "bad signature".
If the signature is correct, the AS can provide all details to the recognized RS, as yaronf mentioned.

Answer 3 · 2021-05-11T13:56:30.000Z

s/error/inactive status/.