Allow Token Introspection to be customized

[0x676e67]

• How can I return the information of the custom token？

The OAuth2TokenIntrospectionAuthenticationProvider authentication provider cannot fully return token information, for example, I added custom authorities information. This is important to me because the resource server needs it to extract the corresponding permissions for the token

• code

private static OAuth2TokenIntrospection withActiveTokenClaims(
			OAuth2Authorization.Token<AbstractOAuth2Token> authorizedToken, RegisteredClient authorizedClient) {

		OAuth2TokenIntrospection.Builder tokenClaims = OAuth2TokenIntrospection.builder(true)
				.clientId(authorizedClient.getClientId());

		// TODO Set "username"

		AbstractOAuth2Token token = authorizedToken.getToken();
		if (token.getIssuedAt() != null) {
			tokenClaims.issuedAt(token.getIssuedAt());
		}
		if (token.getExpiresAt() != null) {
			tokenClaims.expiresAt(token.getExpiresAt());
		}

		if (OAuth2AccessToken.class.isAssignableFrom(token.getClass())) {
			OAuth2AccessToken accessToken = (OAuth2AccessToken) token;
			tokenClaims.scopes(scopes -> scopes.addAll(accessToken.getScopes()));
			tokenClaims.tokenType(accessToken.getTokenType().getValue());

			Map<String, Object> claims = authorizedToken.getClaims();
			if (!CollectionUtils.isEmpty(claims)) {
				// Assuming JWT as it's the only (currently) supported access token format
				JwtClaimAccessor jwtClaims = () -> claims;

				Instant notBefore = jwtClaims.getNotBefore();
				if (notBefore != null) {
					tokenClaims.notBefore(notBefore);
				}
				tokenClaims.subject(jwtClaims.getSubject());
				List<String> audience = jwtClaims.getAudience();
				if (!CollectionUtils.isEmpty(audience)) {
					tokenClaims.audiences(audiences -> audiences.addAll(audience));
				}
				tokenClaims.issuer(jwtClaims.getIssuer().toExternalForm());
				String jti = jwtClaims.getId();
				if (StringUtils.hasText(jti)) {
					tokenClaims.id(jti);
				}
			}
		}

		return tokenClaims.build();
	}

• return

{
    "active": true,
    "client_id": "system",
    "iat": 1636896937,
    "exp": 1636900537,
    "scope": "all",
    "token_type": "Bearer",
    "nbf": 1636896937,
    "sub": "admin",
    "aud": [
        "system"
    ],
    "iss": "http://127.0.0.1:9000"
}

• should return

{
  "sub": "admin",
  "aud": "system",
  "nbf": 1636896937,
  "user_id": 1,
  "scope": [
    "all"
  ],
  "iss": "http://127.0.0.1:9000",
  "exp": 1636900537,
  "iat": 1636896937,
  "authorities": [
    "ROLE_admin"
  ]
}

[jgrandja]

Thanks for the report @zf1976. At the moment, the Token Introspection endpoint cannot be customized. We will look at adding this support soon.

In the meantime, the JWT received by the Resource Server should be able to parse the claims and authorize on the authorities claim? You don't need to call the Token Introspection endpoint.

[0x676e67]

Thanks for the report @zf1976. At the moment, the Token Introspection endpoint cannot be customized. We will look at adding this support soon.

In the meantime, the JWT received by the Resource Server should be able to parse the claims and authorize on the authorities claim? You don't need to call the Token Introspection endpoint.

Thanks for your advice.

[jgrandja]

@zf1976 Just confirming that you no longer need this customization capability since you closed the issue?

[0x676e67]

@zf1976 Just confirming that you no longer need this customization capability since you closed the issue?

I needed to introspect the endpoint to verify whether the token was revoked, and based on the above problem, I found a solution to manually parse to obtain the AUTHORITIES attribute

[0x676e67]

I want the endpoint to be able to return custom attributes

[jgrandja]

@zf1976

I want the endpoint to be able to return custom attributes

Reopening and will look at adding this capability soon.

[codreamx]

It's too long to wait for version 0.2.3. Can you advance it? thanks!

[endink]

+1
need the feature too!