Open AdamWill opened 1 month ago
As I work for Red Hat I cannot agree to "consent that the copyright of your pull request source code belongs to Authlib's author" without my employer's permission, but I think this change is too trivial to be copyrightable.
When token introspection was introduced in 6f5d19a, using the code that previously only handled token revocation, the new
_handle_token_hint
method that does the work for bothintrospect_token
andrevoke_token
kept usingself.revocation_endpoint_auth_method
unconditionally if noauth
was passed in with the introspect or revoke request. This seems to be wrong, introspecting a token should use thetoken_endpoint_auth_method
.This leaves the fallback to
revocation_endpoint_auth_method
in_handle_token_hint
because adjusting its signature to makeauth
compulsory would be awkward, but it's not expected ever to be used.What kind of change does this PR introduce? (check at least one)
Does this PR introduce a breaking change? (check one)