oauth2.dev

client_id

IESG

Registry Context

Identifies the OAuth 2.0 client that requested the introspected token.

Technical Summary

`client_id` is an optional top-level member of the token introspection response JSON object.

When Used

Included when the authorization server provides the client identifier associated with the token.

Normative Requirements

Authorization servers

SHOULD NOT
1
  1. RFC 7662 - Section 2.2

    Include `client_id` or other additional token information in a response for an inactive token..

    Condition: When the introspected token is inactive, nonexistent, or not permitted to be introspected by the protected resource.

    the authorization server SHOULD NOT include any additional information about an inactive token

OPTIONAL
1
  1. RFC 7662 - Section 2.2

    The token introspection response can include `client_id` as an optional top-level member identifying the OAuth 2.0 client that requested the token..

    Condition: When constructing a token introspection response.

    client_id OPTIONAL. Client identifier for the OAuth 2.0 client that requested this token.

Validation Guidance

error

If present, verify that `client_id` is a top-level member of the introspection response.

warning

Warn if `client_id` is included when `active` is `false`, because it discloses additional information about an inactive token.

Security Notes

RFC 7662 - Section 2.2

Omitting `client_id` and other additional information for inactive tokens helps avoid disclosing authorization-server state to a third party.

Reference

Details

Entry Id
client_id
Name
client_id
Description
Client identifier of the client
Change Controller
IESG
Reference
RFC7662 - Section 2.2