whatvn commented on PR #9127: URL: https://github.com/apache/apisix/pull/9127#issuecomment-1479303257
@starsz according to rfc7662 https://www.rfc-editor.org/rfc/rfc7662#section-2.1 ``` The introspection endpoint MAY accept other OPTIONAL parameters to provide further context to the query. For instance, an authorization server may desire to know the IP address of the client accessing the protected resource to determine if the correct client is likely to be presenting the token. The definition of this or any other parameters are outside the scope of this specification, to be defined by service documentation or extensions to this specification. If the authorization server is unable to determine the state of the token without additional information, it SHOULD return an introspection response indicating the token is not active as described in [Section 2.2](https://www.rfc-editor.org/rfc/rfc7662#section-2.2). ``` Client can also provide additional parameter in order to let authorization server to optimize search query. That's why in oidc resty module which we are using, it allows us to add **scope** to introspect the token. With your question, I think I may also add another check, to check in case authorization (other than Ory Hydra that I am testing) does not support for **scope** in request, we still can be able to check granted scope. What do you think? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
