Introspection now draft spec compliant, requires client auth

Currently this is the client that originally sent the token, we want to have a way to bind other "clients" to this token as well, like resource services. Also want to let open calls, sometimes.
12 years ago · fbc3c46128
parent 544e3d7b43
commit fbc3c46128
3 changed files with 50 additions and 3 deletions
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/view/TokenIntrospectionView.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/view/TokenIntrospectionView.java
@ -97,6 +97,10 @@ public class TokenIntrospectionView extends AbstractView {
            	token.add("expires", context.serialize(src.getExpiration()));
            	token.addProperty("audience", src.getAuthenticationHolder().getAuthentication().getAuthorizationRequest().getClientId());
            	token.addProperty("user_id", src.getAuthenticationHolder().getAuthentication().getName());
            	return token;
            }
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java
@ -17,20 +17,30 @@ package org.mitre.oauth2.web;
 import java.security.Principal;
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
 import org.mitre.oauth2.service.OAuth2TokenEntityService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.servlet.ModelAndView;
 import com.google.common.base.Objects;
 import com.google.common.base.Strings;
@Controller
 public class IntrospectionEndpoint {
 	@Autowired
-	OAuth2TokenEntityService tokenServices;
+	private OAuth2TokenEntityService tokenServices;
 	@Autowired
 	private ClientDetailsEntityService clientService;
 	public IntrospectionEndpoint() {
@ -40,12 +50,13 @@ public class IntrospectionEndpoint {
 		this.tokenServices = tokenServices;
 	}
 	@PreAuthorize("hasRole('ROLE_CLIENT')")
 	@RequestMapping("/introspect")
-	public ModelAndView verify(Principal p, ModelAndView modelAndView) {
+	public ModelAndView verify(@RequestParam("token") String tokenValue, Principal p, ModelAndView modelAndView) {
 		// assume the token's not valid until proven otherwise
 		modelAndView.setViewName("tokenNotFound");
-		
+		/*
 		if (p != null && p instanceof OAuth2Authentication) {
 			OAuth2Authentication auth = (OAuth2Authentication)p;
@ -61,6 +72,29 @@ public class IntrospectionEndpoint {
 					modelAndView.setViewName("tokenIntrospection");
 					modelAndView.addObject("entity", token);
 				}
 			}
 		}*/
 		if (!Strings.isNullOrEmpty(tokenValue)) {
 			OAuth2AccessTokenEntity token = tokenServices.readAccessToken(tokenValue);
 			if (token != null) {
 				ClientDetailsEntity tokenClient = token.getClient();
 				// clientID is the principal name in the authentication
 				String clientId = p.getName();
 				ClientDetailsEntity authClient = clientService.loadClientByClientId(clientId);
 				if (tokenClient != null && authClient != null) {
 					if (Objects.equal(authClient, tokenClient)) {
 						// if it's a valid token, we'll print out information on it
 						modelAndView.setViewName("tokenIntrospection");
 						modelAndView.addObject("entity", token);
 					}
 				}
 			}
 		}
--- a/openid-connect-server/src/main/webapp/WEB-INF/application-context.xml
+++ b/openid-connect-server/src/main/webapp/WEB-INF/application-context.xml
@ -88,6 +88,10 @@
 		<security:expression-handler ref="oauthWebExpressionHandler" />
 	</security:http>
 	<security:http pattern="/introspect**" entry-point-ref="oauthAuthenticationEntryPoint">
 		<security:custom-filter ref="clientCredentialsIntrospectionEndpointFilter" before="BASIC_AUTH_FILTER" />
 	</security:http>
 	<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
 		<property name="realmName" value="openidconnect" />
 	</bean>
@ -116,6 +120,11 @@
 		<property name="filterProcessesUrl" value="/token"/>
 	</bean>
 	<bean id="clientCredentialsIntrospectionEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
 		<property name="authenticationManager" ref="clientAuthenticationManager" />
 		<property name="filterProcessesUrl" value="/introspect"/>
 	</bean>
 	<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
 		<authentication-provider user-service-ref="clientUserDetailsService" />
 	</authentication-manager>