feat: token introspection (#83)

* introspect

* introspect and client assertion

* introspect and client assertion

* scopes

* token introspection

* introspect

* refactoring

* fixes

* clenaup

* Update example/internal/mock/storage.go

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* clenaup

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

pkg/client/rs/resource_server.go

@@ -0,0 +1,123 @@
+package rs
+
+import (
+	"context"
+	"errors"
+	"net/http"
+	"time"
+
+	"github.com/caos/oidc/pkg/client"
+	"github.com/caos/oidc/pkg/oidc"
+	"github.com/caos/oidc/pkg/utils"
+)
+
+type ResourceServer interface {
+	IntrospectionURL() string
+	HttpClient() *http.Client
+	AuthFn() (interface{}, error)
+}
+
+type resourceServer struct {
+	issuer        string
+	tokenURL      string
+	introspectURL string
+	httpClient    *http.Client
+	authFn        func() (interface{}, error)
+}
+
+func (r *resourceServer) IntrospectionURL() string {
+	return r.introspectURL
+}
+
+func (r *resourceServer) HttpClient() *http.Client {
+	return r.httpClient
+}
+
+func (r *resourceServer) AuthFn() (interface{}, error) {
+	return r.authFn()
+}
+
+func NewResourceServerClientCredentials(issuer, clientID, clientSecret string, option Option) (ResourceServer, error) {
+	authorizer := func() (interface{}, error) {
+		return utils.AuthorizeBasic(clientID, clientSecret), nil
+	}
+	return newResourceServer(issuer, authorizer, option)
+}
+func NewResourceServerJWTProfile(issuer, clientID, keyID string, key []byte, options ...Option) (ResourceServer, error) {
+	signer, err := client.NewSignerFromPrivateKeyByte(key, keyID)
+	if err != nil {
+		return nil, err
+	}
+	authorizer := func() (interface{}, error) {
+		assertion, err := client.SignedJWTProfileAssertion(clientID, []string{issuer}, time.Hour, signer)
+		if err != nil {
+			return nil, err
+		}
+		return client.ClientAssertionFormAuthorization(assertion), nil
+	}
+	return newResourceServer(issuer, authorizer, options...)
+}
+
+func newResourceServer(issuer string, authorizer func() (interface{}, error), options ...Option) (*resourceServer, error) {
+	rs := &resourceServer{
+		issuer:     issuer,
+		httpClient: utils.DefaultHTTPClient,
+	}
+	for _, optFunc := range options {
+		optFunc(rs)
+	}
+	if rs.introspectURL == "" || rs.tokenURL == "" {
+		config, err := client.Discover(rs.issuer, rs.httpClient)
+		if err != nil {
+			return nil, err
+		}
+		rs.tokenURL = config.TokenEndpoint
+		rs.introspectURL = config.IntrospectionEndpoint
+	}
+	if rs.introspectURL == "" || rs.tokenURL == "" {
+		return nil, errors.New("introspectURL and/or tokenURL is empty: please provide with either `WithStaticEndpoints` or a discovery url")
+	}
+	rs.authFn = authorizer
+	return rs, nil
+}
+
+func NewResourceServerFromKeyFile(issuer, path string, options ...Option) (ResourceServer, error) {
+	c, err := client.ConfigFromKeyFile(path)
+	if err != nil {
+		return nil, err
+	}
+	return NewResourceServerJWTProfile(issuer, c.ClientID, c.KeyID, []byte(c.Key), options...)
+}
+
+type Option func(*resourceServer)
+
+//WithClient provides the ability to set an http client to be used for the resource server
+func WithClient(client *http.Client) Option {
+	return func(server *resourceServer) {
+		server.httpClient = client
+	}
+}
+
+//WithStaticEndpoints provides the ability to set static token and introspect URL
+func WithStaticEndpoints(tokenURL, introspectURL string) Option {
+	return func(server *resourceServer) {
+		server.tokenURL = tokenURL
+		server.introspectURL = introspectURL
+	}
+}
+
+func Introspect(ctx context.Context, rp ResourceServer, token string) (oidc.IntrospectionResponse, error) {
+	authFn, err := rp.AuthFn()
+	if err != nil {
+		return nil, err
+	}
+	req, err := utils.FormRequest(rp.IntrospectionURL(), &oidc.IntrospectionRequest{Token: token}, client.Encoder, authFn)
+	if err != nil {
+		return nil, err
+	}
+	resp := oidc.NewIntrospectionResponse()
+	if err := utils.HttpRequest(rp.HttpClient(), req, resp); err != nil {
+		return nil, err
+	}
+	return resp, nil
+}