"none" authentication method on introspection endpoint

I’m trying to call the introspection endpoint, and from the openid-configuration I can see that “none” is one of the options available (the last one).

I’m trying to implement it as a fallback, but the response I’m getting is 400 / {"errorCode":"invalid_client","errorSummary":"Invalid value for 'client_id' parameter.","errorLink":"invalid_client","errorId":"oaeSMCGp9PNRgyhcq4Ck3-fqw","errorCauses":[]}.

How do I do an introspection request with the “none” authentication method?

This endpoint required authentication, so you need to present valid credentials: https://developer.okta.com/docs/reference/api/oidc/#introspect

Thanks @phi1ipp, I was not sure if it actually required authentication. The thing is though that I need to make that decision based on what I get from the openid-configuration, and in that file, for introspection_endpoint_auth_methods_supported, the "none" value is returned as the last option in the array. For me that means that the server supports “no authorization” for this endpoint. So I would expect for the server to do one of:

  • Include "none" in introspection_endpoint_auth_methods_supported and (preferably) allow no auth or return 401
  • NOT include "none" in introspection_endpoint_auth_methods_supported and return 400 or 401 on no auth