Duende IdentityServer does not validate introspection requests for Refresh Tokens

[mikbazz19]

In the RFC document for OAuth 2.0 Token Introspection (https://www.rfc-editor.org/rfc/rfc7662), mentioned that introspection requests can be validated for Access and Refresh tokens. But after going through the open-source code for Duende IdentityServer it seems that Duende IdentityServer does not validate the introspection request for refresh token.
Thought of sharing the same since generally, the introspection requests are being validated against Access token (but Refresh token is not out of scope).

[mikbazz19]

Any update on this?

[leastprivilege]

it seems that Duende IdentityServer does not validate the introspection request for refresh token

What makes you think that? And what exactly do you mean with "validate" ?

[leastprivilege]

Oh sorry - now I see. I always read "revocation" and not "introspection".

Seems we haven't implemented introspection for refresh tokens. What would be your use case for that?

[mikbazz19]

I was just hitting our IdP's (which is using Duende IdentityServer) introspection endpoint against an active refresh token. Observed that it is only returning the active:false response, not like the response received from an active access token. Cross-verified it with Oauth RFCs, there it is mentioned that introspection requests can be validated for Access and Refresh tokens.

Are there any plans to implement introspection for refresh tokens to make it complaint with OAuth 2.0 Token Introspection RFC?

[leastprivilege]

What's your (business / technical) use case?

[mikbazz19]

Currently there aren't any from my end. Just exploring OAuth 2.0 resources and endpoints while came across this issue.

[leastprivilege]

OK - thanks! We didn't have a real use case either.

[brockallen]

Ok, we can look at add this on our backlog.