Understood On Thu, Mar 14, 2024 at 9:58 PM Justin Richer <jric...@mit.edu> wrote:
> While I don’t have an answer for the question asked, I do want to note > that in order to do a proper validation, the introspection request would > have to include the values of the DPoP proof, but also the expected HTM and > HTU values from the RS, as the AS would not know these directly. > > — Justin > > On Mar 10, 2024, at 4:05 PM, Dick Hardt <dick.ha...@gmail.com> wrote: > > Hey > > I was reading over RFC 9449 and was surprised that introspection did not > take the DPoP header so that the introspection endpoint could do the check > on the DPoP proof rather than forcing the Resource Server to do it. > > > https://datatracker.ietf.org/doc/html/rfc9449#name-jwk-thumbprint-confirmation- > > Curious what was the reasoning behind this? > > /Dick > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
