feat: add token introspection

cerberauth · Mar 30, 2024 · 85dfeb9 · 85dfeb9
1 parent a1a61fe
commit 85dfeb9
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 5 deletions.
diff --git a/baffao-proxy/config/example.toml b/baffao-proxy/config/example.toml
@@ -6,5 +6,6 @@ client_id = "client_id"
 client_secret = "client_secret"
 authorization_redirect_uri = "http://127.0.0.1:3000/oauth/callback"
 authorization_endpoint = "http://127.0.0.1:4444/oauth2/auth"
-token_endpoint = "http://127.0.0.1/oauth2/token"
+token_endpoint = "http://127.0.0.1:3000/oauth2/token"
+introspection_endpoint = "http://127.0.0.1:3000/oauth2/introspect"
 redirect_uri = "http://127.0.0.1:3000/"
diff --git a/baffao/src/oauth/client.rs b/baffao/src/oauth/client.rs
@@ -1,8 +1,6 @@
 use anyhow::{Context, Error};
 use oauth2::{
-    basic::BasicClient, reqwest::async_http_client, AuthType, AuthUrl, AuthorizationCode, ClientId,
-    ClientSecret, CsrfToken, PkceCodeChallenge, PkceCodeVerifier, RedirectUrl, RefreshToken, Scope,
-    TokenUrl,
+    basic::{BasicClient, BasicTokenType}, reqwest::async_http_client, AccessToken as OAuthAccessToken, AuthType, AuthUrl, AuthorizationCode, ClientId, ClientSecret, CsrfToken, EmptyExtraTokenFields, IntrospectionUrl, PkceCodeChallenge, PkceCodeVerifier, RedirectUrl, RefreshToken, Scope, StandardTokenIntrospectionResponse, TokenUrl
 };
 use reqwest::Url;
 
@@ -31,7 +29,7 @@ impl OAuthClient {
         let token_endpoint =
             TokenUrl::new(config.token_endpoint.clone()).context("Failed to parse token url")?;
 
-        let client = BasicClient::new(
+        let mut client = BasicClient::new(
             ClientId::new(config.client_id.clone()),
             Some(ClientSecret::new(config.client_secret.clone())),
             auth_url,
@@ -40,6 +38,12 @@ impl OAuthClient {
         .set_auth_type(AuthType::RequestBody)
         .set_redirect_uri(redirect_uri);
 
+        if let Some(introspection_endpoint) = &config.introspection_endpoint {
+            let introspection_endpoint = IntrospectionUrl::new(introspection_endpoint.clone())
+                .context("Failed to parse introspection url")?;
+            client = client.set_introspection_uri(introspection_endpoint);
+        }
+
         Ok(Self { config, client })
     }
 
@@ -105,4 +109,20 @@ impl OAuthClient {
 
         Ok(response.unwrap())
     }
+
+    pub async fn introspect_token(
+        &self,
+        token: String,
+    ) -> Result<StandardTokenIntrospectionResponse<EmptyExtraTokenFields, BasicTokenType>, Error>
+    {
+        let response = self
+            .client
+            .introspect(&OAuthAccessToken::new(token))?
+            .request_async(async_http_client)
+            .await?;
+
+        // TODO: configure introspection request depending on auth method
+
+        Ok(response)
+    }
 }
diff --git a/baffao/src/oauth/mod.rs b/baffao/src/oauth/mod.rs
@@ -24,6 +24,10 @@ pub struct OAuthConfig {
     pub token_endpoint: String,
     pub redirect_uri: Option<String>,
     pub default_scopes: Option<Vec<String>>,
+
+    pub introspection_endpoint: Option<String>,
+    pub introspection_endpoint_auth_methods_supported: Option<Vec<String>>,
+    pub introspection_endpoint_auth_signing_alg_values_supported: Option<Vec<String>>,
 }
 
 pub type AccessToken = StandardTokenResponse<EmptyExtraTokenFields, BasicTokenType>;