/oauth2/introspect endpoint requires a valid client's client_credentials token to validate other access_tokens.

There seems to be a check in the endpoint that the client's sub must equal the access token's aud.

Also don't seem to be able to use basic digest authentication of a client's key/secret during these requests, only a valid client token.

I thought the point of this endpoint was to be able to just pass the access token as the Bearer and have it validate and return itself.