class Doorkeeper::OAuth::TokenIntrospection
Attributes
Public Class Methods
Source
# File lib/doorkeeper/oauth/token_introspection.rb, line 11 def initialize(server, token) @server = server @token = token end
Public Instance Methods
Source
# File lib/doorkeeper/oauth/token_introspection.rb, line 21 def error_response return if @error.blank? if @error == Errors::InvalidToken OAuth::InvalidTokenResponse.from_access_token(authorized_token) elsif @error == Errors::InvalidRequest OAuth::InvalidRequestResponse.from_request(self) else OAuth::ErrorResponse.from_request(self) end end
Source
# File lib/doorkeeper/oauth/token_introspection.rb, line 33 def to_json(*) active? ? success_response : failure_response end
Private Instance Methods
Source
# File lib/doorkeeper/oauth/token_introspection.rb, line 167 def active? if authorized_client valid_token? && token_introspection_allowed?(auth_client: authorized_client.application) else valid_token? end end
Boolean indicator of whether or not the presented token is currently active. The specifics of a token’s “active” state will vary depending on the implementation of the authorization server and the information it keeps about its tokens, but a “true” value return for the “active” property will generally indicate that a given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity (e.g., after its issuance time and before its expiration time).
Any other error is considered an “inactive” token.
-
The token requested does not exist or is invalid
-
The token expired
-
The token was issued to a different client than is making this request
Since resource servers using token introspection rely on the authorization server to determine the state of a token, the authorization server MUST perform all applicable checks against a token’s state. For instance, these tests include the following:
o If the token can expire, the authorization server MUST determine whether or not the token has expired. o If the token can be issued before it is able to be used, the authorization server MUST determine whether or not a token's valid period has started yet. o If the token can be revoked after it was issued, the authorization server MUST determine whether or not such a revocation has taken place. o If the token has been signed, the authorization server MUST validate the signature. o If the token can be used only at certain resource servers, the authorization server MUST determine whether or not the token can be used at the resource server making the introspection call.
Source
# File lib/doorkeeper/oauth/token_introspection.rb, line 205 def customize_response(response) customized_response = Doorkeeper.config.custom_introspection_response.call( token, server.context, ) return response if customized_response.blank? response.merge(customized_response) end
Allows to customize introspection response. Provides context (controller) and token for generating developer-specific response.
Source
# File lib/doorkeeper/oauth/token_introspection.rb, line 126 def failure_response { active: false, } end
If the introspection call is properly authorized but the token is not active, does not exist on this server, or the protected resource is not allowed to introspect this particular token, then the authorization server MUST return an introspection response with the “active” field set to “false”. Note that to avoid disclosing too much of the authorization server’s state to a third party, the authorization server SHOULD NOT include any additional information about an inactive token, including why the token is inactive.
@see datatracker.ietf.org/doc/html/rfc7662 2.2. Introspection Response
Source
# File lib/doorkeeper/oauth/token_introspection.rb, line 104 def success_response customize_response( active: true, scope: @token.scopes_string, client_id: @token.try(:application).try(:uid), token_type: @token.token_type, exp: @token.expires_at.to_i, iat: @token.created_at.to_i, ) end
2.2. Introspection Response
Source
# File lib/doorkeeper/oauth/token_introspection.rb, line 192 def token_introspection_allowed?(auth_client: nil, auth_token: nil) allow_introspection = Doorkeeper.config.allow_token_introspection return allow_introspection unless allow_introspection.respond_to?(:call) allow_introspection.call(@token, auth_client, auth_token) end
Config
constraints for introspection in Doorkeeper.config
.allow_token_introspection
Source
# File lib/doorkeeper/oauth/token_introspection.rb, line 176 def valid_token? @token&.accessible? end
Token
can be valid only if it is not expired or revoked.