class Doorkeeper::OAuth::TokenIntrospection
@see tools.ietf.org/html/rfc7662<br><br>RFC7662 OAuth 2.0 Token Introspection
def active?
be used at the resource server making the introspection call.
authorization server MUST determine whether or not the token can
o If the token can be used only at certain resource servers, the
validate the signature.
o If the token has been signed, the authorization server MUST
place.
server MUST determine whether or not such a revocation has taken
o If the token can be revoked after it was issued, the authorization
period has started yet.
authorization server MUST determine whether or not a token's valid
o If the token can be issued before it is able to be used, the
whether or not the token has expired.
o If the token can expire, the authorization server MUST determine
token's state. For instance, these tests include the following:
authorization server MUST perform all applicable checks against a
authorization server to determine the state of a token, the
Since resource servers using token introspection rely on the
* The token was issued to a different client than is making this request
* The token expired
* The token requested does not exist or is invalid
Any other error is considered an "inactive" token.
before its expiration time).
given time window of validity (e.g., after its issuance time and
has not been revoked by the resource owner, and is within its
that a given token has been issued by this authorization server,
value return for the "active" property will generally indicate
server and the information it keeps about its tokens, but a "true"
will vary depending on the implementation of the authorization
is currently active. The specifics of a token's "active" state
Boolean indicator of whether or not the presented token
def active? if authorized_client valid_token? && token_introspection_allowed?(auth_client: authorized_client.application) else valid_token? end end
def authorize!
- See: https://www.oauth.com/oauth2-servers/token-introspection-endpoint/ -
def authorize! # Requested client authorization if server.credentials @error = :invalid_client unless authorized_client elsif authorized_token # Requested bearer token authorization # # If the protected resource uses an OAuth 2.0 bearer token to authorize # its call to the introspection endpoint and the token used for # authorization does not contain sufficient privileges or is otherwise # invalid for this request, the authorization server responds with an # HTTP 401 code as described in Section 3 of OAuth 2.0 Bearer Token # Usage [RFC6750]. # @error = :invalid_token unless valid_authorized_token? else @error = :invalid_request @invalid_request_reason = :request_not_authorized end end
def authorized?
def authorized? @error.blank? end
def authorized_client
def authorized_client @authorized_client ||= server.credentials && server.client end
def authorized_token
def authorized_token @authorized_token ||= Doorkeeper.authenticate(server.context.request) end
def authorized_token_matches_introspected?
def authorized_token_matches_introspected? authorized_token.token == @token&.token end
def customize_response(response)
- See: https://tools.ietf.org/html/rfc7662#section-2.2 -
def customize_response(response) customized_response = Doorkeeper.config.custom_introspection_response.call( token, server.context, ) return response if customized_response.blank? response.merge(customized_response) end
def error_response
def error_response return if @error.blank? if @error == :invalid_token OAuth::InvalidTokenResponse.from_access_token(authorized_token) elsif @error == :invalid_request OAuth::InvalidRequestResponse.from_request(self) else OAuth::ErrorResponse.new(name: @error) end end
def failure_response
- See: https://tools.ietf.org/html/rfc7662 - 2.2. Introspection Response
def failure_response { active: false, } end
def initialize(server, token)
def initialize(server, token) @server = server @token = token authorize! end
def success_response
def success_response customize_response( active: true, scope: @token.scopes_string, client_id: @token.try(:application).try(:uid), token_type: @token.token_type, exp: @token.expires_at.to_i, iat: @token.created_at.to_i, ) end
def to_json(*)
def to_json(*) active? ? success_response : failure_response end
def token_introspection_allowed?(auth_client: nil, auth_token: nil)
def token_introspection_allowed?(auth_client: nil, auth_token: nil) allow_introspection = Doorkeeper.config.allow_token_introspection return allow_introspection unless allow_introspection.respond_to?(:call) allow_introspection.call(@token, auth_client, auth_token) end
def valid_authorized_token?
def valid_authorized_token? !authorized_token_matches_introspected? && authorized_token.accessible? && token_introspection_allowed?(auth_token: authorized_token) end
def valid_token?
def valid_token? @token&.accessible? end