Unexpected unverified party error for OIDC RP
Cantor, Scott
cantor.2 at osu.edu
Thu Jul 15 16:08:59 UTC 2021
On 7/15/21, 11:37 AM, "users on behalf of Darren Boss" <users-bounces at shibboleth.net on behalf of darren.boss at computecanada.ca> wrote:
> The developers are responsive too and asking how they can assist which
> is good. They are also testing with Keycloak and both mentioned that
> when working with Keycloak, they didn't have to specify
> client_secret_post nor are they having failures with the introspection
> endpoint. I suspect the Keycloak introspection endpoint is wide open
> and not requiring authentication but at this point it's just a guess.
Umm, cool. That's super safe.
Anyway, that’s probably it then. I checked the RFC before I responded and it's explicit about requiring it be protected to limit it to the party the token was issued to, which...duh.
-- Scott
More information about the users
mailing list