feat: add token introspection

emmanuelgautier · emmanuelgautier · commit fc0c516eebbf · 2024-03-15T16:58:56.000+01:00
diff --git a/baffao-core/src/oauth/client.rs b/baffao-core/src/oauth/client.rs
@@ -1,9 +1,6 @@
 use anyhow::{Context, Error};
 use oauth2::{
-    basic::{BasicClient, BasicTokenType},
-    reqwest::async_http_client,
-    AuthType, AuthUrl, AuthorizationCode, ClientId, ClientSecret, CsrfToken, EmptyExtraTokenFields,
-    PkceCodeChallenge, PkceCodeVerifier, RedirectUrl, Scope, StandardTokenResponse, TokenUrl,
+    basic::{BasicClient, BasicTokenType}, reqwest::async_http_client, AccessToken, AuthType, AuthUrl, AuthorizationCode, ClientId, ClientSecret, CsrfToken, EmptyExtraTokenFields, IntrospectionUrl, PkceCodeChallenge, PkceCodeVerifier, RedirectUrl, Scope, StandardTokenIntrospectionResponse, StandardTokenResponse, TokenUrl
 };
 use reqwest::Url;
 
@@ -32,7 +29,7 @@ impl OAuthClient {
         let token_endpoint =
             TokenUrl::new(config.token_endpoint.clone()).context("Failed to parse token url")?;
 
-        let client = BasicClient::new(
+        let mut client = BasicClient::new(
             ClientId::new(config.client_id.clone()),
             Some(ClientSecret::new(config.client_secret.clone())),
             auth_url,
@@ -41,6 +38,12 @@ impl OAuthClient {
         .set_auth_type(AuthType::RequestBody)
         .set_redirect_uri(redirect_uri);
 
+        if let Some(introspection_endpoint) = &config.introspection_endpoint {
+            let introspection_endpoint = IntrospectionUrl::new(introspection_endpoint.clone())
+                .context("Failed to parse introspection url")?;
+            client = client.set_introspection_uri(introspection_endpoint);
+        }
+
         Ok(Self { config, client })
     }
 
@@ -87,4 +90,19 @@ impl OAuthClient {
 
         Ok(response.unwrap())
     }
+
+    pub async fn introspect_token(
+        &self,
+        token: String,
+    ) -> Result<StandardTokenIntrospectionResponse<EmptyExtraTokenFields, BasicTokenType>, Error> {
+        let response = self
+            .client
+            .introspect(&AccessToken::new(token))?
+            .request_async(async_http_client)
+            .await?;
+
+        // TODO: configure introspection request depending on auth method
+
+        Ok(response)
+    }
 }
diff --git a/baffao-core/src/oauth/mod.rs b/baffao-core/src/oauth/mod.rs
@@ -19,4 +19,8 @@ pub struct OAuthConfig {
     pub token_endpoint: String,
     pub redirect_uri: Option<String>,
     pub default_scopes: Option<Vec<String>>,
+
+    pub introspection_endpoint: Option<String>,
+    pub introspection_endpoint_auth_methods_supported: Option<Vec<String>>,
+    pub introspection_endpoint_auth_signing_alg_values_supported: Option<Vec<String>>,
 }

Original file line number	Diff line number	Diff line change
`@@ -19,4 +19,8 @@ pub struct OAuthConfig {`
`19`	`19`	`pub token_endpoint: String,`
`20`	`20`	`pub redirect_uri: Option<String>,`
`21`	`21`	`pub default_scopes: Option<Vec<String>>,`
	`22`	`+`
	`23`	`+ pub introspection_endpoint: Option<String>,`
	`24`	`+ pub introspection_endpoint_auth_methods_supported: Option<Vec<String>>,`
	`25`	`+ pub introspection_endpoint_auth_signing_alg_values_supported: Option<Vec<String>>,`
`22`	`26`	`}`