There has been some confusion surrounding when and how to issue requests for access token verification from the token endpoint. Sections 6.3.2. and 6.3.3. One such occasion was today in chat. Here a Micropub client was first doing authentication verification (and expecting an answer similar to what a token endpoint would expect) and then doing a token request with the same access code. This worked with some implementation, but not all.

In fact, on quick read the IndieAuth specification does not make it clear at all that implementing sections 6.3.2 and 6.3.3. is completely optional. These steps are only necessary when you expect a token endpoint to talk to the authorization endpoint over HTTP. At least one private implementation (aaronpk’s) never returns scope values on verification requests because it does not support these sections.

There are multiple implementations where the authorization and token endpoints exist within the same infrastructure. Like the WordPress plugin. These implementations never need to implement HTTP access code verification between the two endpoints and the sections are completely optional.

Going forward: should we drop these extra steps from the base IndieAuth specification completely?

The concept could instead be documented as an extension limited to implementers who need the modularity.