xdavidwu
commented
8 months ago implementation will also likely to share:
- we may want to use userinfo endpoint additionally (currently unimplemented and uses only id_token, but introspection does not have one)
- validation
- not a JWT, but introspection response may contains metadata similiar to JWT standard claims
design may also be similiar: a factory to map data to user, with a generic in-session-only fallback
not sure if it is really in scope of this project, but this sure will benifit from sharing configuration with us, especially for token instrospection endpoint that is protected with client authentication (id+secret), the first protection approach suggested by rfc7662.