introspection_ endpoint_ auth_ methods_ supported
Registry Context
This optional authorization server metadata field lists the client authentication methods supported by the token introspection endpoint. If omitted, the supported methods must be determined by other means; RFC 8414 defines no default.
Technical Summary
The value is a JSON array. Valid values are registered in either the IANA OAuth Token Endpoint Authentication Methods registry or the IANA OAuth Access Token Types registry.
When Used
Used in OAuth authorization server metadata to advertise how clients can authenticate to the introspection endpoint.
Normative Requirements
Authorization servers
RFC 8414 - Section 2
use the value none in introspection_endpoint_auth_signing_alg_values_supported.
The value "none" MUST NOT be used.
RFC 8414 - Section 2
include introspection_endpoint_auth_signing_alg_values_supported.
Condition: if private_key_jwt or client_secret_jwt is specified in introspection_endpoint_auth_methods_supported
This metadata entry MUST be present if either of these authentication methods are specified in the "introspection_endpoint_auth_methods_supported" entry.
RFC 8414 - Section 2
include introspection_endpoint_auth_methods_supported as a JSON array listing client authentication methods supported by the introspection endpoint.
introspection_endpoint_auth_methods_supported OPTIONAL. JSON array containing a list of client authentication methods supported by this introspection endpoint.
Authorization server metadata responses
RFC 8414 - Section 3.2
omit claims with zero elements from the response.
Condition: when a metadata claim would contain zero elements
Claims with zero elements MUST be omitted from the response.
Unspecified actor
RFC 8414 - Section 2
determine the set of supported introspection endpoint authentication methods by other means.
Condition: if introspection_endpoint_auth_methods_supported is omitted
If omitted, the set of supported authentication methods MUST be determined by other means.
Validation Guidance
If present, verify that the value is a non-empty JSON array.
Verify that each array member is a value registered in either the IANA OAuth Token Endpoint Authentication Methods registry or the IANA OAuth Access Token Types registry.
If the array contains private_key_jwt or client_secret_jwt, require introspection_endpoint_auth_signing_alg_values_supported to be present.
Reject none in introspection_endpoint_auth_signing_alg_values_supported.
If the field is absent, do not assume a default authentication method for the introspection endpoint.
Reference
Details
- Entry Id
introspection_endpoint_ auth_ methods_ supported - Metadata Name
introspection_endpoint_ auth_ methods_ supported - Metadata Description
JSON array containing a list of client authentication methods supported by this introspection endpoint- Change Controller
IESG- Reference
RFC8414 - Section 2