I have been working with OAuth2 for the past few days and I believe I have it mostly figured out and have my code working fairly well. I find it odd that WSO2 doesn't allow you to authorize OAuth2 token introspection using client_id / client_secret. Is there a reason why this isn't allowed?
My understanding with OAuth2 is that you are expected to register your client with the authorization server (register as a Service Provider under WSO2). This gives the client the ability to identify itself with the server. What is special about a tenant user that it must also be provided to introspect a token? Other OAuth2 systems do not have this requirement.
I think that's one of their design decisions.Going through the token introspection documentation, I think what they want is to make introspection independent from the client. So that any other application who knows a credentials for an end user (which resides in a tenant) can introspect the token for validations. I think there are use cases for such needs.
Regardless, RFC7662 - Token introspection does not mandate to implementations to use client credentials. It is up to the implementer to choose the method. But yes it does mention about client credentials and Bearer tokens.
To prevent token scanning attacks, the endpoint MUST also require some form of authorization to access this endpoint, such as client authentication as described in OAuth 2.0 [RFC6749] or a separate OAuth 2.0 access token such as the bearer token described in OAuth 2.0 Bearer Token Usage [RFC6750]. The methods of managing and validating these authentication credentials are out of scope of this specification.