Updated Token Introspecting Client Config (markdown)

Token-Introspecting-Client-Config.md

@@ -1,4 +1,6 @@
-The following code sets up a filter to take a token passed in to the web application, and fill in the details as an `OAuth2Authentication` object by introspecting it with the configured issuer's Introspection Endpoint (configured as the `introspectionUrl` property). The service authenticates its calls using the `clientId` and `clientSecret` properties.
+The following code sets up a filter to take a token passed in to the web application, and fill in the details as an `OAuth2Authentication` object by introspecting it at a configured issuer's Introspection Endpoint. The URL for the Introspection Endpoint is provided by the configured `introspectionUrlProvider` service. The token service authenticates its calls using the `clientId` and `clientSecret` properties. 
+
+If the token is valid, the service creates an `Authentication` object with the user in the `sub` object as its principle. This `Authentication` is given a set of `GrantedAuthorities` provided by the configured `introspectionAuthorityGranter` service. 
 
 In applicationContext.xml:
 ```
@@ -6,8 +8,53 @@ In applicationContext.xml:
     <bean id="introspectingService" class="org.mitre.oauth2.introspectingfilter.IntrospectingTokenService">
         <property name="clientId" value="yourClientId"/>
         <property name="clientSecret" value="yourClientSecret"/>
-        <property name="introspectionUrl" value="http://localhost:8080/openid-connect-server/introspect"/>
+        <property name="introspectionUrlProvider">
+           ...
+        </property>
+        <property name="introspectionAuthorityGranter">
+           ...
+        </property>
     </bean>
 ```
 
-If the token is valid, the service creates an Authorization with the user in the `sub` field of the response and the role `ROLE_API`.
+## Introspection URL Providers
+
+The `IntrospectionURLProvider` interface looks at the context of the request and returns a URL to which the token service can make its introspection call.
+
+### Static Introspection URL Provider
+
+The static provider simply returns the same configured URL for all requests, regardless of context.
+
+```
+   <bean class="org.mitre.oauth2.introspectingfilter.StaticIntrospectionUrlProvider">
+      <property name="introspectionUrl" value="http://authserver/introspect" />
+   </bean>
+```
+
+### JWT-Parsing Introspection URL Provider
+
+The JWT-parsing provider assumes that the access token is a properly formed JWT and parses the token value into a JWT object. The provider then extracts the `iss` field and looks up the introspection URL using the configured `serverConfigurationService`. This service the same as that described in [Client Configuration](Client-configuration#server-configuration).
+
+```
+   <bean class="org.mitre.oauth2.introspectingfilter.JWTParsingIntrospectionUrlProvider">
+      <property name="serverConfigurationService">
+         ...
+      </property>
+   </bean>
+```
+
+## Authority Granter
+
+The `IntrospectionAuthorityGranter` interface looks at the response from the introspection endpoint and returns a set of Spring Security `GrantedAuthority` objects to be assigned to the token service's resulting `Authentication` object. 
+
+### Simple Introspection Authority Granter
+
+The `SimpleIntrospectionAuthorityGranter` returns the same configured set of authorities for every request, as long as the token is deemed valid by the server. By default, it returns the single `GrantedAuthority` of `ROLE_API`. 
+
+```
+   <bean class="org.mitre.oauth2.introspectingfilter.SimpleIntrospectionAuthorityGranter">
+      <property name="authorities">
+         ...
+      </property>
+   </bean>
+```