The aud key of the client_assertion token should be set to the introspection endpoint. #7
Description
Hello,
In IntrospectionService.php, we should use the proper aud key in the client_assertion, which should be provided by the issuer.
In order to do that, we should do:
public function introspect(OpenIDClient $client, string $token, array $params = []): array
{
$endpointUri = get_endpoint_uri($client, 'introspection_endpoint');
$authMethod = $client->getAuthMethodFactory()
->create($client->getMetadata()->getIntrospectionEndpointAuthMethod());
$tokenRequest = $this->requestFactory->createRequest('POST', $endpointUri)
->withHeader('content-type', 'application/x-www-form-urlencoded');
// This is the changes
$params += [
'token' => $token,
'aud' => $client->getIssuer()->getMetadata()->getIntrospectionEndpoint(),
];
// This is the end of the changes.
$tokenRequest = $authMethod->createRequest($tokenRequest, $client, $params);
$httpClient = $client->getHttpClient() ?? $this->client;
try {
$response = $httpClient->sendRequest($tokenRequest);
dump($response);
dump((string) $response->getBody());
} catch (ClientExceptionInterface $e) {
throw new RuntimeException('Unable to get revocation response', 0, $e);
}
return parse_metadata_response($response, 200);
}By using this construction, the user is free to customize this as well if needed through the $claims variable.
This issue depends on #6