Introspect Can Be Performed with a Client that is Not Assigned to the Authorization Server
Last Updated:
Overview
Token introspection can be performed even with a disallowed grant type and clients not specified in the Access Policy.
Applies To
- API Access Management
- OAuth 2.0
- Token Introspection
- Authorization Server
Solution
A client not assigned to the authorization server can still inspect an access token granted to a client assigned to the authorization server.
The authorization server's introspection still requires some form of client authentication.
