<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

Introspect Can Be Performed with a Client that is Not Assigned to the Authorization Server

Okta Classic Engine
Okta Identity Engine
API Access Management

Overview

Token introspection can be performed even with a disallowed grant type and clients not specified in the Access Policy.

Applies To

  • API Access Management
  • OAuth 2.0
  • Token Introspection
  • Authorization Server

Solution

A client not assigned to the authorization server can still inspect an access token granted to a client assigned to the authorization server.

The authorization server's introspection still requires some form of client authentication.

 

Related References

    Loading
    Okta Support - Introspect Can Be Performed with a Client that is Not Assigned to the Authorization Server