class Doorkeeper::OAuth::TokenIntrospection
Attributes
Public Class Methods
# File lib/doorkeeper/oauth/token_introspection.rb, line 10 def initialize(server, token) @server = server @token = token authorize! end
Public Instance Methods
# File lib/doorkeeper/oauth/token_introspection.rb, line 21 def to_json active? ? success_response : failure_response end
Private Instance Methods
Boolean indicator of whether or not the presented token is currently active. The specifics of a token's “active” state will vary depending on the implementation of the authorization server and the information it keeps about its tokens, but a “true” value return for the “active” property will generally indicate that a given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity (e.g., after its issuance time and before its expiration time).
Any other error is considered an “inactive” token.
-
The token requested does not exist or is invalid
-
The token expired
-
The token was issued to a different client than is making this request
# File lib/doorkeeper/oauth/token_introspection.rb, line 104 def active? if authorized_client valid_token? && authorized_for_client? else valid_token? end end
If the introspection call is properly authorized but the token is not active, does not exist on this server, or the protected resource is not allowed to introspect this particular token, then the authorization server MUST return an introspection response with the “active” field set to “false”. Note that to avoid disclosing too much of the authorization server's state to a third party, the authorization server SHOULD NOT include any additional information about an inactive token, including why the token is inactive.
@see tools.ietf.org/html/rfc7662 2.2. Introspection Response
# File lib/doorkeeper/oauth/token_introspection.rb, line 82 def failure_response { active: false } end
2.2. Introspection Response
# File lib/doorkeeper/oauth/token_introspection.rb, line 60 def success_response { active: true, scope: @token.scopes_string, client_id: @token.try(:application).try(:uid), token_type: @token.token_type, exp: @token.expires_at.to_i, iat: @token.created_at.to_i } end
Token can be valid only if it is not expired or revoked.
# File lib/doorkeeper/oauth/token_introspection.rb, line 113 def valid_token? @token.present? && @token.accessible? end