client_ id
Registry Context
Identifies the OAuth 2.0 client that requested the introspected token.
Technical Summary
`client_id` is an optional top-level member of the token introspection response JSON object.
When Used
Included when the authorization server provides the client identifier associated with the token.
Normative Requirements
Authorization servers
RFC 7662 - Section 2.2
Include `client_id` or other additional token information in a response for an inactive token..
Condition: When the introspected token is inactive, nonexistent, or not permitted to be introspected by the protected resource.
the authorization server SHOULD NOT include any additional information about an inactive token
RFC 7662 - Section 2.2
The token introspection response can include `client_id` as an optional top-level member identifying the OAuth 2.0 client that requested the token..
Condition: When constructing a token introspection response.
client_id OPTIONAL. Client identifier for the OAuth 2.0 client that requested this token.
Validation Guidance
If present, verify that `client_id` is a top-level member of the introspection response.
Warn if `client_id` is included when `active` is `false`, because it discloses additional information about an inactive token.
Security Notes
RFC 7662 - Section 2.2
Omitting `client_id` and other additional information for inactive tokens helps avoid disclosing authorization-server state to a third party.
Reference
Details
- Entry Id
client_id - Name
client_id - Description
Client identifier of the client- Change Controller
IESG- Reference
RFC7662 - Section 2.2