[mitreid-connect] Connecting /introspect from localhost without clientid
Yannick Béot
yannick.beot at gmail.com
Tue Feb 6 04:25:55 EST 2018
Hi,
I would say that the introspection endpoint must authenticate the client.
Extract from the RFC 7662 "OAuth 2.0 Token Introspection"
To prevent token scanning attacks, the endpoint MUST also require
some form of authorization to access this endpoint, such as client
authentication as described in OAuth 2.0
MitreID Connect, with its checkbox "introspection" allow a client or not to
use such endpoint.
Regards,
Yannick
On Tue, Feb 6, 2018 at 9:52 AM, Marco Descher <descher at medevit.at> wrote:
> Hy List,
>
> I am co-hosting openid with another application acting as resource
> provider. Now I have to validate the tokens presented.
>
> Is it possible to configure OpenID s.t. I do not need any client and
> authentication to query /introspect with requests originating from
> localhost?
>
> Thanks,
> marco
>
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20180206/8b1efbea/attachment.html
More information about the mitreid-connect
mailing list