there probably shouldn't be a token validation

[corbosman]

Heya, as the first line in your controller you do:

$this->resourceServer->validateAuthenticatedRequest($request);

This checks if there is a bearer token with a valid access token in the Authorization header. But that is probably not how you should implement that afaik. The token you are presenting for introspection as the token body parameter, should not be the one used for authentication. (and it can be now if it's a valid token).

I think the specs mention either basic auth or some other mechanism. Maybe simply leave it up to the consumer of your package to decide how to implement authentication for the introspection client. Although im not sure how, i dont think they could assign a middleware to your routes easily.

im interested in how you see this.

[rokde]

Good advice. Let me check the implementation next week. Or do you want to make a pull request?

[MattApril]

Calling validateAuthenticatedRequest does not impose a requirement of using the token to be introspected as the token for validation. You can (and should) use another token, such as one from a client credentials grant.

[MattApril]

With that being said, I also disagree the with implementation of this. It should be setup so that any guard(s) can be configured for the route. i.e. basic auth, passport, or even no auth if the server is on a private network. If I have time I can create a pull request, but for now this is suitable for me.