While I don’t have an answer for the question asked, I do want to note that in order to do a proper validation, the introspection request would have to include the values of the DPoP proof, but also the expected HTM and HTU values from the RS, as the AS would not know these directly.
— Justin On Mar 10, 2024, at 4:05 PM, Dick Hardt <dick.ha...@gmail.com> wrote: Hey I was reading over RFC 9449 and was surprised that introspection did not take the DPoP header so that the introspection endpoint could do the check on the DPoP proof rather than forcing the Resource Server to do it. https://datatracker.ietf.org/doc/html/rfc9449#name-jwk-thumbprint-confirmation- Curious what was the reasoning behind this? /Dick _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
