Hello, Thank you for your work on draft-ietf-oauth-introspection-07. The security considerations appear to be addressed well and I was glad to see how a response is handled when the response code is false, to not reveal information as to why.
The privacy considerations look good, but I do have another question that should be addressed in the draft in regard to privacy. Section 2.1 says an IP address (or something else) might be used to provide context of the query, the authorization server could have other information about the client. It would be good to mention privacy related considerations for the client in this case in addition to what gets returned in the Introspection Response (already covered). Thank you. -- Best regards, Kathleen
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
