Indication of token introspection for a resource

Question

Indication of token introspection for a resource

Closed this issue 7 months ago · 3 comments

YS: Resource registration: the token_introspection_required element doesn't seem useful. If set to false but the AS receives an introspection call, should it reject it? If set to true and the call is not made, the AS would never know!

JR: I agree of the limited utility here, but it’s mostly telling the AS about the RS’s capabilities. Ultimately the AS is in charge of whether tokens can be introspected or not, or if they need to be.

YS: Still not convinced, suggest we remove it.

Answer 1 · 2023-10-23T16:16:46.000Z

I believe this was addressed in #71 but not by removing it.

Answer 2 · 2023-10-28T11:24:48.000Z

Yes, the new sentence in #71 does address it.

Note however that we say that "an error is returned" without defining the exact error (and similarly in a few other places in the draft).

See the core protocol for reference.

Answer 3 · 2023-10-30T14:19:21.000Z

You're right, that's a gap -- we do need to define errors for the RS-facing API, we'll add that.