While I don’t have an answer for the question asked, I do want to note that in
order to do a proper validation, the introspection request would have to
include the values of the DPoP proof, but also the expected HTM and HTU values
from the RS, as the AS would not know these directly.
— Justin
As promised at the last meeting, I have been able to do a full review of the
OAuth for Browser Based Applications draft spec, and my notes are attached,
indexed by sections and paragraphs where possible.
Even though my notes are extensive, I do want to say that overall the document
is in great
