Move introspect token to oauth2_client

MarcialRosales · MarcialRosales · commit 0183d9a7a7b1 · 2025-06-20T07:56:31.000+02:00
diff --git a/deps/oauth2_client/include/oauth2_client.hrl b/deps/oauth2_client/include/oauth2_client.hrl
@@ -27,6 +27,7 @@
 -define(REQUEST_CLIENT_SECRET, "client_secret").
 -define(REQUEST_SCOPE, "scope").
 -define(REQUEST_REFRESH_TOKEN, "refresh_token").
+-define(REQUEST_TOKEN, "token").
 
 % define access token response constants
 -define(BEARER_TOKEN_TYPE, <<"Bearer">>).
diff --git a/deps/oauth2_client/include/types.hrl b/deps/oauth2_client/include/types.hrl
@@ -78,3 +78,13 @@
 }).
 
 -type refresh_token_request() :: #refresh_token_request{}.
+
+-record(introspect_token_request, {
+  endpoint :: option(uri_string:uri_string()),
+  client_id :: binary() | undefined,
+  client_secret :: binary() | undefined,
+  client_auth_method :: basic | request_param | undefined,
+  ssl_options :: option(list())
+}).
+
+-type introspect_token_request() :: #introspect_token_request{}.
diff --git a/deps/oauth2_client/src/oauth2_client.erl b/deps/oauth2_client/src/oauth2_client.erl
@@ -7,6 +7,7 @@
 -module(oauth2_client).
 -export([get_access_token/2, get_expiration_time/1,
         refresh_access_token/2,
+        introspect_token/1,
         get_oauth_provider/1, get_oauth_provider/2,
         get_openid_configuration/2,
         build_openid_discovery_endpoint/3,
@@ -48,6 +49,96 @@ refresh_access_token(OAuthProvider, Request) ->
     Response = httpc:request(post, {URL, Header, Type, Body}, HTTPOptions, Options),
     parse_access_token_response(Response).
 
+-spec introspect_token(binary()) -> 
+    {ok, successful_access_token_response()} |
+    {error, unsuccessful_access_token_response() | any()}.
+introspect_token(Token) ->
+    case build_introspection_request() of 
+        {ok, Request} -> 
+            URL = Request#introspect_token_request.endpoint,
+            Header = build_introspect_authorization_header_if_any(Request),
+            Type = ?CONTENT_URLENCODED,
+            Body = build_introspect_request_parameters(Token, Request),
+            HTTPOptions = case Request#introspect_token_request.ssl_options of
+                                undefined -> [];
+                                SSL ->  [{ssl, SSL}]
+                          end ++ get_default_timeout(),
+            Options = [],
+            Response = httpc:request(post, {URL, Header, Type, Body}, HTTPOptions, Options),
+            parse_access_token_response(Response);
+        {error, Message} -> 
+            #unsuccessful_access_token_response{
+              error = 500,
+              error_description = binary_to_list(Message)
+            }
+    end.    
+
+build_introspect_request_parameters(Token, #introspect_token_request{
+        client_auth_method = Method, 
+        client_id = ClientId, 
+        client_secret = ClientSecret}) ->
+    QueryList = case Method of 
+        request_param -> [
+            client_id_request_parameter(ClientId),
+            client_secret_request_parameter(ClientSecret)
+            ];
+        _ -> []
+    end,
+    uri_string:compose_query([{?REQUEST_TOKEN, Token} | QueryList]).
+
+
+build_introspect_authorization_header_if_any(#introspect_token_request{
+        client_auth_method = Method, 
+        client_id = ClientId, 
+        client_secret = ClientSecret}) ->
+    case Method of 
+        basic ->
+            Credentials = binary_to_list(<<ClientId/binary,":",ClientSecret/binary>>),
+            AuthStr = base64:encode_to_string(Credentials),
+            [{"Authorization", "Basic " ++ AuthStr}];
+        _ -> []
+    end.
+
+build_introspection_request() ->
+     Result = case get_oauth_provider([introspection_endpoint]) of
+        {ok, Provider} -> 
+            case {Provider#oauth_provider.introspection_client_id, 
+                    Provider#oauth_provider.introspection_client_secret} of
+                {undefined, _} -> {error, not_found_introspection_endpoint};
+                {_, _} -> {ok, build_introspection_request(Provider)}
+            end;
+        {error, _} = Error -> Error
+    end,
+    Providers = case Result of 
+        {ok, _} -> Result;
+        {error, _} -> 
+            maps:filter(fun(K,V) -> 
+                case {V#oauth_provider.introspection_client_id, 
+                    V#oauth_provider.introspection_client_secret} of
+                    {undefined, _} -> false;
+                    {_Id, _Secret} -> 
+                        case get_oauth_provider(K, [introspection_endpoint]) of 
+                            {ok, _} -> true;
+                            _ -> false
+                        end
+                end
+            end, get_env(oauth_providers))
+        end,
+    case maps:size(Providers) of 
+        0 -> {error, not_found_introspection_endpoint};
+        1 -> {ok, build_introspection_request(lists:last(maps:values(Providers))) };
+        _ -> {error, too_many_introspection_endpoints}
+    end.
+
+build_introspection_request(Provider) ->
+    #introspect_token_request{
+        endpoint = Provider#oauth_provider.introspection_endpoint,
+        client_id = Provider#oauth_provider.introspection_client_id,
+        client_secret = Provider#oauth_provider.introspection_client_secret,
+        client_auth_method = Provider#oauth_provider.introspection_client_auth_method,
+        ssl_options = Provider#oauth_provider.ssl_options
+    }.
+
 append_paths(Path1, Path2) ->
     erlang:iolist_to_binary([Path1, Path2]).
 
@@ -412,6 +503,9 @@ lookup_root_oauth_provider() ->
         authorization_endpoint = get_env(authorization_endpoint),
         end_session_endpoint = get_env(end_session_endpoint),
         introspection_endpoint = get_env(introspection_endpoint),
+        introspection_client_auth_method = get_env(introspection_client_auth_method),
+        introspection_client_id = get_env(introspection_client_id),
+        introspection_client_secret = get_env(introspection_client_secret),
         ssl_options = extract_ssl_options_as_list(Map)
     }.
 
@@ -546,9 +640,11 @@ get_ssl_options_if_any(OAuthProvider) ->
     end.
 get_timeout_of_default(Timeout) ->
     case Timeout of
-        undefined -> [{timeout, ?DEFAULT_HTTP_TIMEOUT}];
+        undefined -> get_default_timeout();
         Timeout -> [{timeout, Timeout}]
     end.
+get_default_timeout() ->
+    [{timeout, ?DEFAULT_HTTP_TIMEOUT}].
 
 is_json(?CONTENT_JSON) -> true;
 is_json(_) -> false.
@@ -601,8 +697,14 @@ map_to_oauth_provider(PropList) when is_list(PropList) ->
             proplists:get_value(authorization_endpoint, PropList, undefined),
         end_session_endpoint =
             proplists:get_value(end_session_endpoint, PropList, undefined),
-        introspection_endpoint = 
+        introspection_endpoint =
             proplists:get_value(introspection_endpoint, PropList, undefined),
+        introspection_client_id =
+            proplists:get_value(introspection_client_id, PropList, undefined),
+        introspection_client_secret =
+            proplists:get_value(introspection_client_secret, PropList, undefined),
+        introspection_client_auth_method = 
+            proplists:get_value(introspection_client_auth_method, PropList, basic),
         jwks_uri =
             proplists:get_value(jwks_uri, PropList, undefined),
         ssl_options =
diff --git a/deps/rabbitmq_auth_backend_oauth2/include/oauth2.hrl b/deps/rabbitmq_auth_backend_oauth2/include/oauth2.hrl
@@ -49,8 +49,6 @@
   preferred_username_claims :: list(),
   scope_aliases :: map() | undefined,
   oauth_provider_id :: oauth_provider_id(),
-  oauth_client_id :: binary() | undefined,
-  oauth_client_secret :: binary() | undefined,
   access_token_format :: jwt | opaque | undefined
  }).
 
diff --git a/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema b/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema
@@ -352,7 +352,7 @@
 
 %% basic_authorization -> Authorization: Basic base64(client_id, client_secret)
 %% post_request_param -> &client_id=<client_id>&client_secret=<client_secret>
-{mapping, 
+{mapping,
  "auth_oauth2.oauth_providers.$name.introspection_client_auth_method", 
  "rabbitmq_auth_backend_oauth2.oauth_providers",
  [{datatype, {enum, [basic, request_param]}}]}.
diff --git a/deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl b/deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl
@@ -151,24 +151,32 @@ expiry_timestamp(#auth_user{impl = DecodedTokenFun}) ->
 
 authenticate(_, AuthProps0) ->
     AuthProps = to_map(AuthProps0),
-    Token     = token_from_context(AuthProps),
-    case resolve_resource_server(Token) of
-        {error, _} = Err0 ->
-            {refused, "Authentication using OAuth 2/JWT token failed: ~tp", [Err0]};
-        {ResourceServer, _} = Tuple ->
-            case check_token(Token, Tuple) of
-                {refused, {error, {invalid_token, error, _Err, _Stacktrace}}} ->
-                    {refused, "Authentication using an OAuth 2/JWT token failed: provided token is invalid", []};
-                {refused, Err} ->
-                    {refused, "Authentication using an OAuth 2/JWT token failed: ~tp", [Err]};
-                {ok, DecodedToken} ->
-                    case with_decoded_token(DecodedToken, fun(In) -> auth_user_from_token(In, ResourceServer) end) of
-                        {error, Err} ->
+    Token0     = token_from_context(AuthProps),
+    TokenResult = case uaa_jwt_jwt:is_jwt_token(Token0) of 
+        true -> {ok, Token0};
+        false -> oauth_client:introspect_token(Token0)
+    end,
+    case TokenResult of 
+        {ok, Token} ->
+            case resolve_resource_server(Token) of
+                {error, _} = Err0 ->
+                    {refused, "Authentication using OAuth 2/JWT token failed: ~tp", [Err0]};
+                {ResourceServer, _} = Tuple ->
+                    case check_token(Token, Tuple) of
+                        {refused, {error, {invalid_token, error, _Err, _Stacktrace}}} ->
+                            {refused, "Authentication using an OAuth 2/JWT token failed: provided token is invalid", []};
+                        {refused, Err} ->
                             {refused, "Authentication using an OAuth 2/JWT token failed: ~tp", [Err]};
-                        Else ->
-                            Else
+                        {ok, DecodedToken} ->
+                            case with_decoded_token(DecodedToken, fun(In) -> auth_user_from_token(In, ResourceServer) end) of
+                                {error, Err} ->
+                                    {refused, "Authentication using an OAuth 2/JWT token failed: ~tp", [Err]};
+                                Else ->
+                                    Else
+                            end
                     end
-            end
+            end;
+        _ -> TokenResult
     end.
 
 -spec with_decoded_token(Token, Fun) -> Result
diff --git a/deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_provider.erl b/deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_provider.erl
@@ -28,7 +28,6 @@ get_internal_oauth_provider(OAuthProviderId) ->
         algorithms = get_algorithms(OAuthProviderId)
     }.
 
-
 %%
 %% Signing Key storage:
 %%
diff --git a/deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_resource_server.erl b/deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_resource_server.erl
@@ -11,7 +11,6 @@
 
 -export([
     resolve_resource_server_from_audience/1,
-    resolve_single_resource_server_with_opaque_access_token_format/0,
     new_resource_server/1
 ]).
 
@@ -58,38 +57,6 @@ resolve_resource_server_from_audience(Audience) ->
             {ok, get_resource_server(ResourceServerId)}
     end.
 
--spec resolve_single_resource_server_with_opaque_access_token_format() -> 
-     {ok, resource_server()} |
-     {error, too_many_matched_resource_servers_only_one_allowed} |
-     {error, no_resource_server_found}.
-resolve_single_resource_server_with_opaque_access_token_format() ->
-    case get_root_resource_server_id() of 
-        <<>> -> 
-            find_unique_resource_server_with_opaque_access_token_format();
-        _ -> 
-            Root = get_root_resource_server(),
-            case Root#resource_server.access_token_format of 
-                opaque -> {ok, Root};
-                _ -> find_unique_resource_server_with_opaque_access_token_format()
-            end
-    end.
-
-find_unique_resource_server_with_opaque_access_token_format() ->   
-    Map0 = maps:fold(fun(K,V,Acc)->
-        case V#resource_server.access_token_format of 
-            opaque -> 
-                case maps:is_key(V#resource_server.oauth_provider_id, Acc) of 
-                    false -> maps:put(V#resource_server.oauth_provider_id, K, Acc);
-                    true -> Acc
-                end;
-            _ -> Acc
-        end end, #{}, get_env(resource_servers, #{})),
-    case maps:size(Map0) of 
-        0 -> {error, no_resource_server_found};
-        1 -> {ok, lists:last(maps:values(Map0))};
-        _ ->  {error, too_many_matched_resource_servers_only_one_allowed}
-    end.
-    
 -spec get_root_resource_server_id() -> resource_server_id().
 get_root_resource_server_id() ->
     get_env(resource_server_id, <<>>).
diff --git a/deps/rabbitmq_auth_backend_oauth2/test/rabbit_oauth2_resource_server_SUITE.erl b/deps/rabbitmq_auth_backend_oauth2/test/rabbit_oauth2_resource_server_SUITE.erl
@@ -19,9 +19,7 @@
 -define(OAUTH_PROVIDER_B,<<"B">>).
 
 -import(oauth2_client, [get_oauth_provider/2]).
--import(rabbit_oauth2_resource_server, 
-    [resolve_resource_server_from_audience/1,
-     resolve_single_resource_server_with_opaque_access_token_format/0]).
+-import(rabbit_oauth2_resource_server, [resolve_resource_server_from_audience/1]).
 
 
 all() -> [
@@ -40,16 +38,11 @@ groups() -> [
             resolve_resource_server_for_none_audience_returns_rabbitmq,
             resolve_resource_server_for_unknown_audience_returns_rabbitmq
         ]},
-        cannot_resolve_resource_server_for_opaque_access_token,
-        {with_opaque_access_token_format, [], [
-            resolve_resource_server_for_opaque_access_token
-        ]},
         {verify_get_rabbitmq_server_configuration, [],
             verify_get_rabbitmq_server_configuration()}
     ]},
     {without_resource_server_id, [], [
-        resolve_resource_server_id_for_any_audience_returns_no_matching_aud_found,
-        cannot_resolve_resource_server_for_opaque_access_token
+        resolve_resource_server_id_for_any_audience_returns_no_matching_aud_found
     ]},
 
     {with_two_resource_servers, [], [
@@ -58,17 +51,13 @@ groups() -> [
         resolve_resource_server_id_for_both_resources_returns_error,
         resolve_resource_server_for_none_audience_returns_no_aud_found,
         resolve_resource_server_for_unknown_audience_returns_no_matching_aud_found,
-        cannot_resolve_resource_server_for_opaque_access_token,
         {with_verify_aud_false, [], [
             resolve_resource_server_for_none_audience_returns_rabbitmq2,
             resolve_resource_server_for_unknown_audience_returns_rabbitmq2,
             {with_rabbitmq1_verify_aud_false, [], [
                 resolve_resource_server_for_none_audience_returns_error
             ]}
-        ]},
-        {with_opaque_access_token_format_for_rabbitmq1_and_rabbitmq2, [], [
-            resolve_resource_server_for_opaque_access_token
-        ]},
+        ]},       
         verify_rabbitmq1_server_configuration,
         {verify_configuration_inheritance_with_rabbitmq2, [],
             verify_configuration_inheritance_with_rabbitmq2()},
@@ -216,19 +205,6 @@ init_per_group(with_two_resource_servers, Config) ->
     [{?RABBITMQ_RESOURCE_ONE, RabbitMQ1}, {?RABBITMQ_RESOURCE_TWO, RabbitMQ2}]
         ++ Config;
 
-init_per_group(with_opaque_access_token_format, Config) ->
-    set_env(access_token_format, opaque),
-    Config;
-
-init_per_group(with_opaque_access_token_format_for_rabbitmq1_and_rabbitmq2, Config) ->
-    RabbitMQServers = get_env(resource_servers, #{}),
-    Resource0 = maps:get(?RABBITMQ_RESOURCE_ONE, RabbitMQServers, []),
-    Resource = [{access_token_format, opaque} | Resource0],
-    Maps0 = maps:put(?RABBITMQ_RESOURCE_ONE, Resource, RabbitMQServers),
-    Maps1 = maps:put(?RABBITMQ_RESOURCE_TWO, Resource, Maps0),
-    set_env(resource_servers, Maps1),
-    Config;
-
 init_per_group(_any, Config) ->
     Config.
 
@@ -280,10 +256,6 @@ end_per_group(with_scope_aliases, Config) ->
     unset_env(scope_aliases),
     Config;
 
-end_per_group(with_opaque_access_token_format, Config) ->
-    unset_env(access_token_format),
-    Config;
-
 end_per_group(_any, Config) ->
     Config.
 
@@ -332,13 +304,6 @@ resolve_resource_server_id_for_both_resources_returns_error(_) ->
     assert_resource_server_id({error, aud_matched_many_resource_servers_only_one_allowed},
         [?RABBITMQ_RESOURCE_TWO, ?RABBITMQ_RESOURCE_ONE]).
 
-resolve_resource_server_for_opaque_access_token(_) ->
-    {ok, Actual} = resolve_single_resource_server_with_opaque_access_token_format(),
-    ?assertEqual(?RABBITMQ, Actual#resource_server.id).
-
-cannot_resolve_resource_server_for_opaque_access_token(_) ->
-    {error, no_resource_server_found} = resolve_single_resource_server_with_opaque_access_token_format().
-
 rabbitmq_verify_aud_is_true(_) ->
     assert_verify_aud(true, ?RABBITMQ).
 
