introspect

pkg/op/config.go

@@ -13,6 +13,7 @@ type Configuration interface {
 	Issuer() string
 	AuthorizationEndpoint() Endpoint
 	TokenEndpoint() Endpoint
+	IntrospectionEndpoint() Endpoint
 	UserinfoEndpoint() Endpoint
 	EndSessionEndpoint() Endpoint
 	KeysEndpoint() Endpoint

pkg/op/discovery.go

@@ -22,9 +22,9 @@ func CreateDiscoveryConfig(c Configuration, s Signer) *oidc.DiscoveryConfigurati
 		Issuer:                c.Issuer(),
 		AuthorizationEndpoint: c.AuthorizationEndpoint().Absolute(c.Issuer()),
 		TokenEndpoint:         c.TokenEndpoint().Absolute(c.Issuer()),
-		// IntrospectionEndpoint: c.Intro().Absolute(c.Issuer()),
-		UserinfoEndpoint:   c.UserinfoEndpoint().Absolute(c.Issuer()),
-		EndSessionEndpoint: c.EndSessionEndpoint().Absolute(c.Issuer()),
+		IntrospectionEndpoint: c.IntrospectionEndpoint().Absolute(c.Issuer()),
+		UserinfoEndpoint:      c.UserinfoEndpoint().Absolute(c.Issuer()),
+		EndSessionEndpoint:    c.EndSessionEndpoint().Absolute(c.Issuer()),
 		// CheckSessionIframe: c.TokenEndpoint().Absolute(c.Issuer())(c.CheckSessionIframe),
 		JwksURI:                           c.KeysEndpoint().Absolute(c.Issuer()),
 		ScopesSupported:                   Scopes(c),

pkg/op/op.go

@@ -21,7 +21,7 @@ const (
 	readinessEndpoint            = "/ready"
 	defaultAuthorizationEndpoint = "authorize"
 	defaulTokenEndpoint          = "oauth/token"
-	defaultIntrospectEndpoint    = "introspect"
+	defaultIntrospectEndpoint    = "oauth/introspect"
 	defaultUserinfoEndpoint      = "userinfo"
 	defaultEndSessionEndpoint    = "end_session"
 	defaultKeysEndpoint          = "keys"
@@ -78,6 +78,7 @@ func CreateRouter(o OpenIDProvider, interceptors ...HttpInterceptor) *mux.Router
 	router.Handle(o.AuthorizationEndpoint().Relative(), intercept(authorizeHandler(o)))
 	router.NewRoute().Path(o.AuthorizationEndpoint().Relative()+"/callback").Queries("id", "{id}").Handler(intercept(authorizeCallbackHandler(o)))
 	router.Handle(o.TokenEndpoint().Relative(), intercept(tokenHandler(o)))
+	router.HandleFunc(o.IntrospectionEndpoint().Relative(), introspectionHandler(o))
 	router.HandleFunc(o.UserinfoEndpoint().Relative(), userinfoHandler(o))
 	router.Handle(o.EndSessionEndpoint().Relative(), intercept(endSessionHandler(o)))
 	router.HandleFunc(o.KeysEndpoint().Relative(), keysHandler(o))
@@ -166,6 +167,10 @@ func (o *openidProvider) TokenEndpoint() Endpoint {
 	return o.endpoints.Token
 }
 
+func (o *openidProvider) IntrospectionEndpoint() Endpoint {
+	return o.endpoints.Introspection
+}
+
 func (o *openidProvider) UserinfoEndpoint() Endpoint {
 	return o.endpoints.Userinfo
 }
@@ -332,6 +337,16 @@ func WithCustomTokenEndpoint(endpoint Endpoint) Option {
 	}
 }
 
+func WithCustomIntrospectionEndpoint(endpoint Endpoint) Option {
+	return func(o *openidProvider) error {
+		if err := endpoint.Validate(); err != nil {
+			return err
+		}
+		o.endpoints.Introspection = endpoint
+		return nil
+	}
+}
+
 func WithCustomUserinfoEndpoint(endpoint Endpoint) Option {
 	return func(o *openidProvider) error {
 		if err := endpoint.Validate(); err != nil {

pkg/op/storage.go

@@ -28,10 +28,15 @@ type AuthStorage interface {
 type OPStorage interface {
 	GetClientByClientID(ctx context.Context, clientID string) (Client, error)
 	AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string) error
-	GetUserinfoFromScopes(ctx context.Context, userID, clientID string, scopes []string) (oidc.UserInfo, error)
-	GetUserinfoFromToken(ctx context.Context, tokenID, subject, origin string) (oidc.UserInfo, error)
+	SetUserinfoFromScopes(ctx context.Context, userinfo oidc.UserInfoSetter, userID, clientID string, scopes []string) error
+	SetUserinfoFromToken(ctx context.Context, userinfo oidc.UserInfoSetter, tokenID, subject, origin string) error
 	GetPrivateClaimsFromScopes(ctx context.Context, userID, clientID string, scopes []string) (map[string]interface{}, error)
 	GetKeyByIDAndUserID(ctx context.Context, keyID, userID string) (*jose.JSONWebKey, error)
+
+	//deprecated: use GetUserinfoFromScopes instead
+	GetUserinfoFromScopes(ctx context.Context, userID, clientID string, scopes []string) (oidc.UserInfo, error)
+	//deprecated: use SetUserinfoFromToken instead
+	GetUserinfoFromToken(ctx context.Context, tokenID, subject, origin string) (oidc.UserInfo, error)
 }
 
 type Storage interface {

pkg/op/token_intospection.go

@@ -0,0 +1,58 @@
+package op
+
+import (
+	"errors"
+	"net/http"
+
+	"github.com/caos/oidc/pkg/oidc"
+	"github.com/caos/oidc/pkg/utils"
+)
+
+type Introspector interface {
+	Decoder() utils.Decoder
+	Crypto() Crypto
+	Storage() Storage
+	AccessTokenVerifier() AccessTokenVerifier
+}
+
+func introspectionHandler(introspector Introspector) func(http.ResponseWriter, *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		Introspect(w, r, introspector)
+	}
+}
+
+func Introspect(w http.ResponseWriter, r *http.Request, introspector Introspector) {
+	//validate authorization
+
+	response := oidc.NewIntrospectionResponse()
+	token, err := ParseTokenInrospectionRequest(r, introspector.Decoder())
+	if err != nil {
+		utils.MarshalJSON(w, response)
+		return
+	}
+	tokenID, subject, ok := getTokenIDAndSubject(r.Context(), introspector, token)
+	if !ok {
+		utils.MarshalJSON(w, response)
+		return
+	}
+	err = introspector.Storage().SetUserinfoFromToken(r.Context(), response, tokenID, subject, r.Header.Get("origin"))
+	if err != nil {
+		utils.MarshalJSON(w, response)
+		return
+	}
+	response.SetActive(true)
+	utils.MarshalJSON(w, response)
+}
+
+func ParseTokenInrospectionRequest(r *http.Request, decoder utils.Decoder) (string, error) {
+	err := r.ParseForm()
+	if err != nil {
+		return "", errors.New("unable to parse request")
+	}
+	req := new(oidc.IntrospectionRequest)
+	err = decoder.Decode(req, r.Form)
+	if err != nil {
+		return "", errors.New("unable to parse request")
+	}
+	return req.Token, nil
+}