Token Introspection security check
Closed this issue · 3 comments
yaronf commented
We should add: the AS MUST validate that the token is appropriate for the RS that presented it, and return an error otherwise.
jricher commented
In OAuth token introspection, the AS doesn't return an error in this stated case -- it simply says the token presented is not active, in order to prevent information leakage to a nosy RS.
Denisthemalice commented
@jricher: I don't understand your argument about a "nosy RS". The text states:
The RS signs the request with its own key
As a consequence, if the AS does not recognize the signature, it can return a error stating "bad signature".
If the signature is correct, the AS can provide all details to the recognized RS, as yaronf mentioned.
yaronf commented
s/error/inactive status/.