Introspection now draft spec compliant, requires client auth

Currently this is the client that originally sent the token, we want to have a way to bind other "clients" to this token as well, like resource services. Also want to let open calls, sometimes.
12 years ago · fbc3c46128
parent 544e3d7b43
commit fbc3c46128
3 changed files with 50 additions and 3 deletions
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/view/TokenIntrospectionView.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/view/TokenIntrospectionView.java
@ -97,6 +97,10 @@ public class TokenIntrospectionView extends AbstractView {
            	
            	token.add("expires", context.serialize(src.getExpiration()));
            	
+            	token.addProperty("audience", src.getAuthenticationHolder().getAuthentication().getAuthorizationRequest().getClientId());
+            	
+            	token.addProperty("user_id", src.getAuthenticationHolder().getAuthentication().getName());
+            	
            	return token;
            }
 			
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java
@ -17,20 +17,30 @@ package org.mitre.oauth2.web;

 import java.security.Principal;

+import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
+import org.mitre.oauth2.service.ClientDetailsEntityService;
 import org.mitre.oauth2.service.OAuth2TokenEntityService;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.servlet.ModelAndView;

+import com.google.common.base.Objects;
+import com.google.common.base.Strings;
+
@Controller
 public class IntrospectionEndpoint {

 	@Autowired
-	OAuth2TokenEntityService tokenServices;
+	private OAuth2TokenEntityService tokenServices;
+	
+	@Autowired
+	private ClientDetailsEntityService clientService;
 	
 	public IntrospectionEndpoint() {
 		
@ -40,12 +50,13 @@ public class IntrospectionEndpoint {
 		this.tokenServices = tokenServices;
 	}
 	
+	@PreAuthorize("hasRole('ROLE_CLIENT')")
 	@RequestMapping("/introspect")
-	public ModelAndView verify(Principal p, ModelAndView modelAndView) {
+	public ModelAndView verify(@RequestParam("token") String tokenValue, Principal p, ModelAndView modelAndView) {
 		
 		// assume the token's not valid until proven otherwise
 		modelAndView.setViewName("tokenNotFound");
-		
+		/*
 		if (p != null && p instanceof OAuth2Authentication) {
 			OAuth2Authentication auth = (OAuth2Authentication)p;
 			
@ -61,6 +72,29 @@ public class IntrospectionEndpoint {
 					modelAndView.setViewName("tokenIntrospection");
 					modelAndView.addObject("entity", token);
 				}
+			}
+		}*/
+		
+		if (!Strings.isNullOrEmpty(tokenValue)) {
+			OAuth2AccessTokenEntity token = tokenServices.readAccessToken(tokenValue);
+			
+			if (token != null) {
+				
+				ClientDetailsEntity tokenClient = token.getClient();
+				// clientID is the principal name in the authentication
+				String clientId = p.getName();
+				ClientDetailsEntity authClient = clientService.loadClientByClientId(clientId);
+				
+				if (tokenClient != null && authClient != null) {
+					if (Objects.equal(authClient, tokenClient)) {
+						
+						// if it's a valid token, we'll print out information on it
+						modelAndView.setViewName("tokenIntrospection");
+						modelAndView.addObject("entity", token);
+					}
+				}
+				
+				
 			}
 		}
 		
--- a/openid-connect-server/src/main/webapp/WEB-INF/application-context.xml
+++ b/openid-connect-server/src/main/webapp/WEB-INF/application-context.xml
@ -87,6 +87,10 @@
 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<security:expression-handler ref="oauthWebExpressionHandler" />
 	</security:http>
+	
+	<security:http pattern="/introspect**" entry-point-ref="oauthAuthenticationEntryPoint">
+		<security:custom-filter ref="clientCredentialsIntrospectionEndpointFilter" before="BASIC_AUTH_FILTER" />
+	</security:http>

 	<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
 		<property name="realmName" value="openidconnect" />
@ -115,6 +119,11 @@
 		<property name="authenticationManager" ref="clientAuthenticationManager" />
 		<property name="filterProcessesUrl" value="/token"/>
 	</bean>
+	
+	<bean id="clientCredentialsIntrospectionEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
+		<property name="authenticationManager" ref="clientAuthenticationManager" />
+		<property name="filterProcessesUrl" value="/introspect"/>
+	</bean>

 	<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
 		<authentication-provider user-service-ref="clientUserDetailsService" />