Hi All, While going through [1] and [2] I noticed a small contradiction between the standards.
Section 3 (The WWW-Authenticate Response Header Field) of [1] provides a example with WWW-Authenticate header description error description with "The access token expired". This error description should have been obtained from the response of introspection request sent to the authorization server. But according the section 2.2 (Introspection Response) of [2], it is not recommended to include any additional information about an inactive token, including why the token is inactive. So how these scenarios match with each other? [1] https://tools.ietf.org/html/rfc6750 [2] https://tools.ietf.org/html/rfc7662 Thanks, -- Maduranga Siriwardena Software Engineer WSO2 Inc.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
