Token Introspection

[dshanske]

As per the proposal at the 2021 Popup, this extends the token verification response to match the token introspection endpoint parameters, and extends the request to support the POST method used in that extension. It does not remove GET, but retains it as an alternative, but aligns the response to same. It also changes trhe response to an invalid token to a 200 in line with the spec.

Closes #33.

[jamietanna]

We should make sure this closes #33.

[aaronpk]

Didn't we discuss moving token introspection to its own endpoint with its own rel value? If an implementation wants to use the same endpoint for both it would be possible with <link rel="token_endpoint introspection_endpoint"...> and since the parameters don't conflict it would be possible to do this. But for a simpler implementation you could have separate URLs for those as well.

[dshanske]

Didn't we discuss moving token introspection to its own endpoint with its own rel value? If an implementation wants to use the same endpoint for both it would be possible with <link rel="token_endpoint introspection_endpoint"...> and since the parameters don't conflict it would be possible to do this. But for a simpler implementation you could have separate URLs for those as well.

I don't recall this. If you look as what you yourself wrote in #33 we decided to use the same endpoint.

[dshanske]

@aaronpk @jamietanna Hopefully made the suggested changes.

[dshanske]

Rewrite to support separate endpoint using metadata proposal #43 once PR for that is merged.

[dshanske]

Refreshed PR to accommodate metadata endpoint.

[aaronpk]

This is a pretty big change to the existing behavior, but essentially it's doing it by adding a new introspection feature with a new introspection endpoint, and removing the old introspection feature at the token endpoint. I'm going to add a little warning to the section to refer to the previous behavior.