Allow Token Introspection to be customized

[0x676e67]

• How can I return the information of the custom token？

The OAuth2TokenIntrospectionAuthenticationProvider authentication provider cannot fully return token information, for example, I added custom authorities information. This is important to me because the resource server needs it to extract the corresponding permissions for the token

• code

private static OAuth2TokenIntrospection withActiveTokenClaims(
			OAuth2Authorization.Token<AbstractOAuth2Token> authorizedToken, RegisteredClient authorizedClient) {

		OAuth2TokenIntrospection.Builder tokenClaims = OAuth2TokenIntrospection.builder(true)
				.clientId(authorizedClient.getClientId());

		// TODO Set "username"

		AbstractOAuth2Token token = authorizedToken.getToken();
		if (token.getIssuedAt() != null) {
			tokenClaims.issuedAt(token.getIssuedAt());
		}
		if (token.getExpiresAt() != null) {
			tokenClaims.expiresAt(token.getExpiresAt());
		}

		if (OAuth2AccessToken.class.isAssignableFrom(token.getClass())) {
			OAuth2AccessToken accessToken = (OAuth2AccessToken) token;
			tokenClaims.scopes(scopes -> scopes.addAll(accessToken.getScopes()));
			tokenClaims.tokenType(accessToken.getTokenType().getValue());

			Map<String, Object> claims = authorizedToken.getClaims();
			if (!CollectionUtils.isEmpty(claims)) {
				// Assuming JWT as it's the only (currently) supported access token format
				JwtClaimAccessor jwtClaims = () -> claims;

				Instant notBefore = jwtClaims.getNotBefore();
				if (notBefore != null) {
					tokenClaims.notBefore(notBefore);
				}
				tokenClaims.subject(jwtClaims.getSubject());
				List<String> audience = jwtClaims.getAudience();
				if (!CollectionUtils.isEmpty(audience)) {
					tokenClaims.audiences(audiences -> audiences.addAll(audience));
				}
				tokenClaims.issuer(jwtClaims.getIssuer().toExternalForm());
				String jti = jwtClaims.getId();
				if (StringUtils.hasText(jti)) {
					tokenClaims.id(jti);
				}
			}
		}

		return tokenClaims.build();
	}

• return

{
    "active": true,
    "client_id": "system",
    "iat": 1636896937,
    "exp": 1636900537,
    "scope": "all",
    "token_type": "Bearer",
    "nbf": 1636896937,
    "sub": "admin",
    "aud": [
        "system"
    ],
    "iss": "http://127.0.0.1:9000"
}

• should return

{
  "sub": "admin",
  "aud": "system",
  "nbf": 1636896937,
  "user_id": 1,
  "scope": [
    "all"
  ],
  "iss": "http://127.0.0.1:9000",
  "exp": 1636900537,
  "iat": 1636896937,
  "authorities": [
    "ROLE_admin"
  ]
}

[jgrandja]

Thanks for the report @zf1976. At the moment, the Token Introspection endpoint cannot be customized. We will look at adding this support soon.

In the meantime, the JWT received by the Resource Server should be able to parse the claims and authorize on the authorities claim? You don't need to call the Token Introspection endpoint.

[0x676e67]

Thanks for the report @zf1976. At the moment, the Token Introspection endpoint cannot be customized. We will look at adding this support soon.

In the meantime, the JWT received by the Resource Server should be able to parse the claims and authorize on the authorities claim? You don't need to call the Token Introspection endpoint.

Thanks for your advice.

[jgrandja]

@zf1976 Just confirming that you no longer need this customization capability since you closed the issue?

[0x676e67]

@zf1976 Just confirming that you no longer need this customization capability since you closed the issue?

I needed to introspect the endpoint to verify whether the token was revoked, and based on the above problem, I found a solution to manually parse to obtain the AUTHORITIES attribute

[0x676e67]

I want the endpoint to be able to return custom attributes

[jgrandja]

@zf1976

I want the endpoint to be able to return custom attributes

Reopening and will look at adding this capability soon.

[codreamx]

It's too long to wait for version 0.2.3. Can you advance it? thanks!

[endink]

+1
need the feature too!

[gourav]

Hi @jgrandja .
I would like to work on this one.

[jgrandja]

The issue is yours @Erised. Thanks!

[gourav]

Hi @jgrandja.
May I now how do you envision this to be implemented ?

I think putting authorities in claims in straightforward. They can be pulled from available authentication itself.
But for the custom claims, should I create an interface that may optionally be implemented by subclasses of OAuth2Token to decide which claims to include in introspect response ?

Or, content of OAuth2TokenIntrospection#withActiveTokenClaims be extracted into a claims mapping strategy that can be configured via OAuth2AuthorizationServerConfigurer ?

[jgrandja]

Hi @Erised

I think putting authorities in claims in straightforward

authorities is not a standard claim so we don't want to add this. The standard claims are implemented in OAuth2TokenIntrospectionAuthenticationProvider.withActiveTokenClaims() so no additional work is necessary.

We need the capability to customize the default claims initialized by withActiveTokenClaims().

Take a look at OidcUserInfoAuthenticationProvider.setUserInfoMapper() for inspiration, as the implementation might be similar. For example, we could create a new class OAuth2TokenIntrospectionAuthenticationContext that provides a getter for accessing OAuth2TokenIntrospection.Builder, allowing to customize the claims before build() is called.

[torresdiego]

How to customize the introspection endpoint using OAuth2TokenIntrospectionEndpointConfigurer? The documentation only shows how to customize the userinfo endpoint.