From fbc3c4612846ee361f0b57338166929bb1f095ed Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mitre.org>
Date: Fri, 7 Dec 2012 17:12:13 -0500
Subject: [PATCH] Introspection now draft spec compliant, requires client auth

Currently this is the client that originally sent the token, we want to have a way to bind other "clients" to this token as well, like resource services. Also want to let open calls, sometimes.
---
 .../oauth2/view/TokenIntrospectionView.java   |  4 ++
 .../oauth2/web/IntrospectionEndpoint.java     | 40 +++++++++++++++++--
 .../webapp/WEB-INF/application-context.xml    |  9 +++++
 3 files changed, 50 insertions(+), 3 deletions(-)

diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/view/TokenIntrospectionView.java b/openid-connect-server/src/main/java/org/mitre/oauth2/view/TokenIntrospectionView.java
index cb7698579..b07dab402 100644
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/view/TokenIntrospectionView.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/view/TokenIntrospectionView.java
@@ -97,6 +97,10 @@ public class TokenIntrospectionView extends AbstractView {
             	
             	token.add("expires", context.serialize(src.getExpiration()));
             	
+            	token.addProperty("audience", src.getAuthenticationHolder().getAuthentication().getAuthorizationRequest().getClientId());
+            	
+            	token.addProperty("user_id", src.getAuthenticationHolder().getAuthentication().getName());
+            	
             	return token;
             }
 			
diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java b/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java
index 8050646c3..34abe8d4a 100644
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java
@@ -17,20 +17,30 @@ package org.mitre.oauth2.web;
 
 import java.security.Principal;
 
+import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
+import org.mitre.oauth2.service.ClientDetailsEntityService;
 import org.mitre.oauth2.service.OAuth2TokenEntityService;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.servlet.ModelAndView;
 
+import com.google.common.base.Objects;
+import com.google.common.base.Strings;
+
 @Controller
 public class IntrospectionEndpoint {
 
 	@Autowired
-	OAuth2TokenEntityService tokenServices;
+	private OAuth2TokenEntityService tokenServices;
+	
+	@Autowired
+	private ClientDetailsEntityService clientService;
 	
 	public IntrospectionEndpoint() {
 		
@@ -40,12 +50,13 @@ public class IntrospectionEndpoint {
 		this.tokenServices = tokenServices;
 	}
 	
+	@PreAuthorize("hasRole('ROLE_CLIENT')")
 	@RequestMapping("/introspect")
-	public ModelAndView verify(Principal p, ModelAndView modelAndView) {
+	public ModelAndView verify(@RequestParam("token") String tokenValue, Principal p, ModelAndView modelAndView) {
 		
 		// assume the token's not valid until proven otherwise
 		modelAndView.setViewName("tokenNotFound");
-		
+		/*
 		if (p != null && p instanceof OAuth2Authentication) {
 			OAuth2Authentication auth = (OAuth2Authentication)p;
 			
@@ -61,6 +72,29 @@ public class IntrospectionEndpoint {
 					modelAndView.setViewName("tokenIntrospection");
 					modelAndView.addObject("entity", token);
 				}
+			}
+		}*/
+		
+		if (!Strings.isNullOrEmpty(tokenValue)) {
+			OAuth2AccessTokenEntity token = tokenServices.readAccessToken(tokenValue);
+			
+			if (token != null) {
+				
+				ClientDetailsEntity tokenClient = token.getClient();
+				// clientID is the principal name in the authentication
+				String clientId = p.getName();
+				ClientDetailsEntity authClient = clientService.loadClientByClientId(clientId);
+				
+				if (tokenClient != null && authClient != null) {
+					if (Objects.equal(authClient, tokenClient)) {
+						
+						// if it's a valid token, we'll print out information on it
+						modelAndView.setViewName("tokenIntrospection");
+						modelAndView.addObject("entity", token);
+					}
+				}
+				
+				
 			}
 		}
 		
diff --git a/openid-connect-server/src/main/webapp/WEB-INF/application-context.xml b/openid-connect-server/src/main/webapp/WEB-INF/application-context.xml
index c2b31d47c..4c191f878 100644
--- a/openid-connect-server/src/main/webapp/WEB-INF/application-context.xml
+++ b/openid-connect-server/src/main/webapp/WEB-INF/application-context.xml
@@ -87,6 +87,10 @@
 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<security:expression-handler ref="oauthWebExpressionHandler" />
 	</security:http>
+	
+	<security:http pattern="/introspect**" entry-point-ref="oauthAuthenticationEntryPoint">
+		<security:custom-filter ref="clientCredentialsIntrospectionEndpointFilter" before="BASIC_AUTH_FILTER" />
+	</security:http>
 
 	<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
 		<property name="realmName" value="openidconnect" />
@@ -115,6 +119,11 @@
 		<property name="authenticationManager" ref="clientAuthenticationManager" />
 		<property name="filterProcessesUrl" value="/token"/>
 	</bean>
+	
+	<bean id="clientCredentialsIntrospectionEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
+		<property name="authenticationManager" ref="clientAuthenticationManager" />
+		<property name="filterProcessesUrl" value="/introspect"/>
+	</bean>
 
 	<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
 		<authentication-provider user-service-ref="clientUserDetailsService" />