OAuth 2.0: TokenIntrospectionRequest x-www-form-urlencoded read from query param

The token introspection endpoint (https://www.rfc-editor.org/rfc/rfc7662.html), as I understand, should only receive requests in POST with application/x-www-form-urlencoded body.
After some tests, it seems that the com.nimbusds.oauth2.sdk.TokenIntrospectionRequest.parse method (see attached pic) accepts also requests sent with POST and parameters in query string (in the url instead of the body).
It should only accept requests with params sent as payload, not as query params

‌

Comments (3)