- changed status to open
OAuth 2.0: TokenIntrospectionRequest x-www-form-urlencoded read from query param
Issue #432
resolved
The token introspection endpoint (https://www.rfc-editor.org/rfc/rfc7662.html), as I understand, should only receive requests in POST with application/x-www-form-urlencoded body.
After some tests, it seems that the com.nimbusds.oauth2.sdk.TokenIntrospectionRequest.parse method (see attached pic) accepts also requests sent with POST and parameters in query string (in the url instead of the body).
It should only accept requests with params sent as payload, not as query params
Comments (3)
-
-
reporter - edited description
-
- changed status to resolved
Fixed here dedfc062 for v11.0.
- Log in to comment