[mitreid-connect] Introspection endpoint - scopes check

Zaninetta Stefano stefano.zaninetta at epfl.ch
Thu Aug 27 04:12:16 EDT 2015


Hello,

I noticed that the Introspection endpoint is returning 403 if the introspecting client configuration doesn't include all the scopes associated with the introspected token.
(https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob/mitreid-connect-1.1.15/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java#L130)

I don't understand what is the reason of for that check and I couldn't find such recommendation in the latest specs (https://tools.ietf.org/html/draft-ietf-oauth-introspection-11).
Could anyone explain me what is the rationale behind that?

At the moment the workaround we adopted is to configure all the available scopes for all the clients used by the Protected Resources; that is equivalent to skip the check.
Hence, I was considering removing it from the code, but I want to be sure I'm not missing any security implication.

Thanks a lot,
Stefano
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20150827/bc73e8ba/attachment.html


More information about the mitreid-connect mailing list