Skip to content

Add {introspection,revocation}_endpoint_auth_methods_supported #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add {introspection,revocation}_endpoint_auth_methods_supported #7

wants to merge 1 commit into from

Conversation

@selfissued
Copy link
Member

@selfissued selfissued commented Jul 16, 2025

@selfissued selfissued mentioned this pull request Jul 16, 2025
Merged
panva
panva requested changes Jul 16, 2025
View reviewed changes
Copy link
Member

@panva panva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking for now. This is not right but I haven't had a chance to properly disect yet.

panva
panva requested changes Jul 16, 2025
View reviewed changes
Copy link
Member

@panva panva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See openid/federation#232 (comment) - a client has but one authentication method for the purposes of DCR (and intrinsically for other mechanisms supported by the data model introduced through DCR Metadata).

The inclusion of introspection_endpoint_auth_methods_supported and revocation_endpoint_auth_methods_supported client multi-valued metadata would serve no value since:

  • an AS is prohibited from responding with multi-valued metadata in a DCR response
  • there is no single-valued metadata for these
  • client implementations do in-fact use just one client authentication method for all the authenticated endpoints (token, introspection, revocation, ciba, device authorization, par)

@selfissued
Copy link
Member Author

selfissued commented Jul 16, 2025

FYI, should it be useful when reviewing, this is rendered at https://openid.github.io/rp-metadata-choices/mbj-introspection-revocation.html

@jricher
Copy link

jricher commented Jul 16, 2025

Token Introspection was primarily designed to be an RS-facing API, and therefore it's generally not clients that will be calling it. We co-opted client authentication methods because that's the only thing that OAuth defines -- OAuth doesn't really have a good story for RS registration, identification, or authentication. All that said, introspection does explicitly allow introspection of refresh tokens, which are client-held, and allows other types including ID Tokens. These imply that clients could do introspection if they wanted to in some circumstances.

Revocation is a little clearer, in that it's a client-facing API and I think it's reasonable to expect a client to use the same authentication methods for both the token endpoint as other endpoints, including registration.

I think the way we got here is that we built out each of these pieces one at a time and that incremental creep didn't seem bad at the time, but looking back a decade later it's a lot messier and more abstract than it needs to be.

@panva panva closed this Aug 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@panva panva panva requested changes

@ve7jtb ve7jtb Awaiting requested review from ve7jtb

@rohe rohe Awaiting requested review from rohe

@jogu jogu Awaiting requested review from jogu

@peppelinux peppelinux Awaiting requested review from peppelinux

@vdzhuvinov vdzhuvinov Awaiting requested review from vdzhuvinov

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@selfissued @jricher @panva