Add some comments for the case RS authentication fails when JWT introspection responses are requested. (#78)

hidebike712 · web-flow · commit 01c818338aed · 2025-11-21T17:28:24.000+09:00
diff --git a/src/main/java/com/authlete/jaxrs/server/api/IntrospectionEndpoint.java b/src/main/java/com/authlete/jaxrs/server/api/IntrospectionEndpoint.java
@@ -82,6 +82,20 @@ public Response post(
         // If failed to authenticate the resource server.
         if (authenticateResourceServer(rsEntity, credentials) == false)
         {
+            // RFC 9701 mandates a "400 Bad Request" for unauthenticated introspection
+            // requests as follows:
+            //
+            //   Note: An AS compliant with this specification MUST refuse to serve
+            //   introspection requests that don't authenticate the caller and return
+            //   an HTTP status code 400. This is done to ensure token data is released
+            //   to legitimate recipients only and prevent downgrading to [RFC7662]
+            //   behavior (see Section 8.2).
+            //
+            // However, we return "401 Unauthorized" instead here.
+            // While RFC 7662 leaves authentication details out of scope, we consider
+            // 401 the semantically correct HTTP status for API caller authentication
+            // failures and the standard behavior for protected endpoints.
+
             // Return "401 Unauthorized".
             return Response.status(Status.UNAUTHORIZED).build();
         }
