Eagerly abort introspection/revocation demands that don't have a toke…

…n attached

src/OpenIddict.Abstractions/OpenIddictResources.resx

@@ -1701,6 +1701,12 @@ To apply post-logout redirection responses, create a class implementing 'IOpenId
   <data name="ID0457" xml:space="preserve">
     <value>The '{0}' parameter cannot contain null or empty values.</value>
   </data>
+  <data name="ID0458" xml:space="preserve">
+    <value>A token must be specified when using introspection.</value>
+  </data>
+  <data name="ID0459" xml:space="preserve">
+    <value>A token must be specified when using revocation.</value>
+  </data>
   <data name="ID2000" xml:space="preserve">
     <value>The security token is missing.</value>
   </data>

src/OpenIddict.Client/OpenIddictClientHandlers.cs

@@ -6171,6 +6171,11 @@ public ValueTask HandleAsync(ProcessIntrospectionContext context)
                 throw new ArgumentNullException(nameof(context));
             }
 
+            if (string.IsNullOrEmpty(context.Token))
+            {
+                throw new InvalidOperationException(SR.GetResourceString(SR.ID0458));
+            }
+
             if (context.Registration is null && string.IsNullOrEmpty(context.RegistrationId) &&
                 context.Issuer       is null && string.IsNullOrEmpty(context.ProviderName) &&
                 context.Options.Registrations.Count is not 1)
@@ -6841,6 +6846,11 @@ public ValueTask HandleAsync(ProcessRevocationContext context)
                 throw new ArgumentNullException(nameof(context));
             }
 
+            if (string.IsNullOrEmpty(context.Token))
+            {
+                throw new InvalidOperationException(SR.GetResourceString(SR.ID0459));
+            }
+
             if (context.Registration is null && string.IsNullOrEmpty(context.RegistrationId) &&
                 context.Issuer       is null && string.IsNullOrEmpty(context.ProviderName) &&
                 context.Options.Registrations.Count is not 1)