oauth2.dev

introspection_endpoint_auth_methods_supported

IESG

Registry Context

This optional authorization server metadata field lists the client authentication methods supported by the token introspection endpoint. If omitted, the supported methods must be determined by other means; RFC 8414 defines no default.

Technical Summary

The value is a JSON array. Valid values are registered in either the IANA OAuth Token Endpoint Authentication Methods registry or the IANA OAuth Access Token Types registry.

When Used

Used in OAuth authorization server metadata to advertise how clients can authenticate to the introspection endpoint.

Normative Requirements

Authorization servers

MUST NOT
1
  1. RFC 8414 - Section 2

    use the value none in introspection_endpoint_auth_signing_alg_values_supported.

    The value "none" MUST NOT be used.

MUST
1
  1. RFC 8414 - Section 2

    include introspection_endpoint_auth_signing_alg_values_supported.

    Condition: if private_key_jwt or client_secret_jwt is specified in introspection_endpoint_auth_methods_supported

    This metadata entry MUST be present if either of these authentication methods are specified in the "introspection_endpoint_auth_methods_supported" entry.

OPTIONAL
1
  1. RFC 8414 - Section 2

    include introspection_endpoint_auth_methods_supported as a JSON array listing client authentication methods supported by the introspection endpoint.

    introspection_endpoint_auth_methods_supported OPTIONAL. JSON array containing a list of client authentication methods supported by this introspection endpoint.

Authorization server metadata responses

MUST
1
  1. RFC 8414 - Section 3.2

    omit claims with zero elements from the response.

    Condition: when a metadata claim would contain zero elements

    Claims with zero elements MUST be omitted from the response.

Unspecified actor

MUST
1
  1. RFC 8414 - Section 2

    determine the set of supported introspection endpoint authentication methods by other means.

    Condition: if introspection_endpoint_auth_methods_supported is omitted

    If omitted, the set of supported authentication methods MUST be determined by other means.

Validation Guidance

error

If present, verify that the value is a non-empty JSON array.

error

Verify that each array member is a value registered in either the IANA OAuth Token Endpoint Authentication Methods registry or the IANA OAuth Access Token Types registry.

error

If the array contains private_key_jwt or client_secret_jwt, require introspection_endpoint_auth_signing_alg_values_supported to be present.

error

Reject none in introspection_endpoint_auth_signing_alg_values_supported.

info

If the field is absent, do not assume a default authentication method for the introspection endpoint.

Reference

Details

Entry Id
introspection_endpoint_auth_methods_supported
Metadata Name
introspection_endpoint_auth_methods_supported
Metadata Description
JSON array containing a list of client authentication methods supported by this introspection endpoint
Change Controller
IESG
Reference
RFC8414 - Section 2