Hey I was reading over RFC 9449 and was surprised that introspection did not take the DPoP header so that the introspection endpoint could do the check on the DPoP proof rather than forcing the Resource Server to do it.
https://datatracker.ietf.org/doc/html/rfc9449#name-jwk-thumbprint-confirmation- Curious what was the reasoning behind this? /Dick
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
