[mitreid-connect] Introspection endpoint - scopes check
Zaninetta Stefano
stefano.zaninetta at epfl.ch
Thu Aug 27 04:12:16 EDT 2015
Hello,
I noticed that the Introspection endpoint is returning 403 if the introspecting client configuration doesn't include all the scopes associated with the introspected token.
(https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob/mitreid-connect-1.1.15/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java#L130)
I don't understand what is the reason of for that check and I couldn't find such recommendation in the latest specs (https://tools.ietf.org/html/draft-ietf-oauth-introspection-11).
Could anyone explain me what is the rationale behind that?
At the moment the workaround we adopted is to configure all the available scopes for all the clients used by the Protected Resources; that is equivalent to skip the check.
Hence, I was considering removing it from the code, but I want to be sure I'm not missing any security implication.
Thanks a lot,
Stefano
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20150827/bc73e8ba/attachment.html
More information about the mitreid-connect
mailing list