As a note for the upcoming Token Exchange discussion in Prague, I’ll note that
this same question may apply there. Specifically, can the party requesting the
exchange be a public client? (And does it have to be an OAuth client at all?)
Cheers,
-- Mike
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Aaron Parecki
Sent: Sunday, July 19, 2015 6:31 AM
To: OAuth WG
Subject: [OAUTH-WG] Token introspection for public clients?
The introspection draft states that the introspection endpoint MUST require
authentication of clients. It mentions either client authentication (id+secret)
or a separate bearer token.
How are public clients expected to use the token introspection endpoint? I
didn't see a note in the document about that at all.
----
Aaron Parecki
aaronparecki.com<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2faaronparecki.com&data=01%7c01%7cMichael.Jones%40microsoft.com%7cf827a8f80a39419ba5e208d28ff2ce12%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=OLWwlvUWyXz2HZaGyASvAlZ9fEhJt6a7A3%2bdfdgUdUY%3d>
@aaronpk<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2ftwitter.com%2faaronpk&data=01%7c01%7cMichael.Jones%40microsoft.com%7cf827a8f80a39419ba5e208d28ff2ce12%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=U7RXStYZ1HIL%2bTlM99%2fYW8W9RPw8bTgHgXcjuvyK0t0%3d>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
