Hi Ben,
I saw your question and by coincidence i had just been doing some reading in
RFC7662.
Maybe this helps.
Could you give me a pointer where in the text it says that if "active" is
false, no other claims are present? ("active" only appears three times,
but none of them seem to say this.)
https://tools.ietf.org/html/rfc7662#page-12 says:
To avoid disclosing the internal state of the authorization server,
an introspection response for an inactive token SHOULD NOT contain
any additional claims beyond the required "active" claim (with its
value set to "falseā).
Regards, jaap Francke
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth