class Doorkeeper::OAuth::TokenIntrospection

RFC7662 OAuth 2.0 Token Introspection

@see tools.ietf.org/html/rfc7662

Attributes

error[R]
server[R]
token[R]

Public Class Methods

new(server, token) click to toggle source
# File lib/doorkeeper/oauth/token_introspection.rb, line 10
def initialize(server, token)
  @server = server
  @token = token

  authorize!
end

Public Instance Methods

authorized?() click to toggle source
# File lib/doorkeeper/oauth/token_introspection.rb, line 17
def authorized?
  @error.blank?
end
to_json() click to toggle source
# File lib/doorkeeper/oauth/token_introspection.rb, line 21
def to_json
  active? ? success_response : failure_response
end

Private Instance Methods

active?() click to toggle source

Boolean indicator of whether or not the presented token is currently active. The specifics of a token's “active” state will vary depending on the implementation of the authorization server and the information it keeps about its tokens, but a “true” value return for the “active” property will generally indicate that a given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity (e.g., after its issuance time and before its expiration time).

Any other error is considered an “inactive” token.

  • The token requested does not exist or is invalid

  • The token expired

  • The token was issued to a different client than is making this request

# File lib/doorkeeper/oauth/token_introspection.rb, line 104
def active?
  if authorized_client
    valid_token? && authorized_for_client?
  else
    valid_token?
  end
end
authorize!() click to toggle source

If the protected resource uses OAuth 2.0 client credentials to authenticate to the introspection endpoint and its credentials are invalid, the authorization server responds with an HTTP 401 (Unauthorized) as described in Section 5.2 of OAuth 2.0 [RFC6749].

Endpoint must first validate the authentication. If the authentication is invalid, the endpoint should respond with an HTTP 401 status code and an invalid_client response.

@see www.oauth.com/oauth2-servers/token-introspection-endpoint/

# File lib/doorkeeper/oauth/token_introspection.rb, line 38
def authorize!
  # Requested client authorization
  if server.credentials
    @error = :invalid_client unless authorized_client
  else
    # Requested bearer token authorization
    @error = :invalid_request unless authorized_token
  end
end
authorized_client() click to toggle source

Client Authentication

# File lib/doorkeeper/oauth/token_introspection.rb, line 49
def authorized_client
  @_authorized_client ||= server.credentials && server.client
end
authorized_for_client?() click to toggle source

If token doesn't belong to some client, then it is public. Otherwise in it required for token to be connected to the same client.

# File lib/doorkeeper/oauth/token_introspection.rb, line 119
def authorized_for_client?
  if @token.application.present?
    @token.application == authorized_client.application
  else
    true
  end
end
authorized_token() click to toggle source

Bearer Token Authentication

# File lib/doorkeeper/oauth/token_introspection.rb, line 54
def authorized_token
  @_authorized_token ||=
    OAuth::Token.authenticate(server.context.request, :from_bearer_authorization)
end
failure_response() click to toggle source

If the introspection call is properly authorized but the token is not active, does not exist on this server, or the protected resource is not allowed to introspect this particular token, then the authorization server MUST return an introspection response with the “active” field set to “false”. Note that to avoid disclosing too much of the authorization server's state to a third party, the authorization server SHOULD NOT include any additional information about an inactive token, including why the token is inactive.

@see tools.ietf.org/html/rfc7662 2.2. Introspection Response

# File lib/doorkeeper/oauth/token_introspection.rb, line 82
def failure_response
  {
    active: false
  }
end
success_response() click to toggle source

2.2. Introspection Response

# File lib/doorkeeper/oauth/token_introspection.rb, line 60
def success_response
  {
    active: true,
    scope: @token.scopes_string,
    client_id: @token.try(:application).try(:uid),
    token_type: @token.token_type,
    exp: @token.expires_at.to_i,
    iat: @token.created_at.to_i
  }
end
valid_token?() click to toggle source

Token can be valid only if it is not expired or revoked.

# File lib/doorkeeper/oauth/token_introspection.rb, line 113
def valid_token?
  @token.present? && @token.accessible?
end