maennchen
commented
3 months ago @danj3 Thanks for the PR.
I agree with your understanding of the RFC. A valid token issued to any client should return a successful response.
However, this function is used in many places as a validation for a specific client. We therefore can't change the behavior without making it a breaking change.
A major release would have to entail refreshing all certifications which is a considerable amount of work. For this change only, I don't think it is benefit enough.
I therefore propose the following:
- We introduce a new option
check_issued_client(default:true) - We add a warning admonition block to the docs
- We'll keep the issue open until release 4.0 is happening.
danj3
resolves #364
previously could only introspect a client_id's own token, introspect needs to be able to introspect any token for an issuer.
It is my understanding from https://datatracker.ietf.org/doc/html/rfc7662 that introspect endpoint is valid for use with any token from the issuer, however the code prior to this change would reject a token when the client_id in the token was not the same as the client_id of the caller to introspect.