Adding a bunch of properties in the introspect response.

changelog.md

@@ -11,7 +11,8 @@ Changelog
 * It wasn't possible to see a full principal even if a user had
   `a12n:principal:list` privilege.
 * Added new privilege for changing passwords: `a12n:user:change-password`.
-* Introspection endpoint now returns the 'sub' property.
+* Introspection endpoint now returns the `exp`, `sub`, `aud` and `iss`
+  properties.
 
 
 0.24.0 (2023-11-09)

src/introspect/controller.ts

@@ -5,7 +5,8 @@ import { NotFound } from '@curveball/http-errors';
 import * as oauth2Service from '../oauth2/service';
 import { OAuth2Token } from '../oauth2/types';
 import * as privilegeService from '../privilege/service';
-import { accessToken, inactive, refreshToken } from './formats/json';
+import * as oauth2ClientService from '../oauth2-client/service';
+import { introspectResponse, inactive } from './formats/json';
 
 /**
  * The /introspect endpoint allows a client to get more information
@@ -69,14 +70,27 @@ class IntrospectionController extends Controller {
     }
     if (foundToken) {
       const privileges = (await privilegeService.get(foundToken.principal)).getAll();
+      const client = await oauth2ClientService.findById(foundToken.clientId); 
 
       switch (foundTokenType!) {
 
         case 'accessToken' :
-          ctx.response.body = accessToken(ctx.request.origin, foundToken, privileges);
+          ctx.response.body = introspectResponse({
+            tokenType: 'bearer',
+            origin: ctx.request.origin,
+            token: foundToken,
+            client,
+            privileges,
+          });
           break;
         case 'refreshToken' :
-          ctx.response.body = refreshToken(ctx.request.origin, foundToken, privileges);
+          ctx.response.body = introspectResponse({
+            tokenType: 'refresh_token',
+            origin: ctx.request.origin,
+            token: foundToken,
+            client,
+            privileges,
+          });
           break;
       }
       return;

src/introspect/formats/json.ts

@@ -1,40 +1,64 @@
 import { OAuth2Token } from '../../oauth2/types';
 import { PrivilegeMap } from '../../privilege/types';
 import * as url from 'url';
+import { OAuth2Client } from '../../types';
 
-export function accessToken(origin: string, token: OAuth2Token, privileges: PrivilegeMap) {
+type IntrospectInfo = {
+  privileges: PrivilegeMap,
+  client: OAuth2Client,
+  token: OAuth2Token,
+  tokenType: 'bearer' | 'refresh_token',
+  origin: string,
+}
 
-  return {
-    active: true,
-    scope: Object.values(privileges).join(' '),
-    privileges: privileges,
-    client_id: token.clientId,
-    username: token.principal.nickname,
-    token_type: 'bearer',
-    exp: token.accessTokenExpires,
-    sub: url.resolve(origin, token.principal.href),
-    _links: {
-      'authenticated-as': {
-        href: url.resolve(origin, token.principal.href),
-      }
+
+/**
+ * Defined in:
+ *
+ * https://www.rfc-editor.org/rfc/rfc7662#section-2.2
+ */
+type IntrospectResponse = {
+  active: boolean;
+  scope?: string;
+  client_id?: string;
+  username?: string;
+  token_type?: 'bearer' | 'refresh_token',
+  exp?: number;
+  iat?: number;
+  nbf?: number;
+  sub?: string;
+  aud?: string;
+  iss?: string;
+  jti?: string;
+
+  /**
+   * A12n additions.
+   */
+  privileges: PrivilegeMap,
+  _links: {
+    'authenticated-as': {
+      href: string,
     }
-  };
+  }
 
 }
 
-export function refreshToken(origin: string, token: OAuth2Token, privileges: PrivilegeMap) {
 
+export function introspectResponse(info: IntrospectInfo): IntrospectResponse {
   return {
     active: true,
-    scope: Object.values(privileges).join(' '),
-    privileges: privileges,
-    client_id: token.clientId,
-    username: token.principal.nickname,
-    token_type: 'refresh_token',
-    sub: url.resolve(origin, token.principal.href),
+    scope: Object.values(info.privileges).join(' '),
+    privileges: info.privileges,
+    client_id: info.client.clientId,
+    username: info.token.principal.nickname,
+    token_type: info.tokenType,
+    exp: info.tokenType === 'refresh_token' ? info.token.refreshTokenExpires : info.token.accessTokenExpires,
+    sub: url.resolve(info.origin, info.token.principal.href),
+    aud: url.resolve(info.origin, info.client.app.href),
+    iss: info.origin,
     _links: {
       'authenticated-as': {
-        href: url.resolve(origin, token.principal.href),
+        href: url.resolve(info.origin, info.token.principal.href),
       }
     }
   };

src/oauth2-client/controller/collection.ts

@@ -5,8 +5,7 @@ import { Forbidden, UnprocessableEntity } from '@curveball/http-errors';
 
 import * as hal from '../formats/hal';
 import { PrincipalService } from '../../principal/service';
-import { GrantType } from '../../types';
-import { OAuth2Client } from '../types';
+import { GrantType, OAuth2Client } from '../../types';
 import { findByApp, create } from '../service';
 import { generatePublicId, generateSecretToken } from '../../crypto';
 

src/oauth2-client/formats/hal.ts

@@ -1,5 +1,4 @@
-import { App } from '../../types';
-import { OAuth2Client } from '../types';
+import { App, OAuth2Client } from '../../types';
 import { HalResource } from 'hal-types';
 
 export function collection(app: App, clients: OAuth2Client[]): HalResource {

src/oauth2-client/service.ts

@@ -4,12 +4,11 @@ import { NotFound, Unauthorized, Conflict } from '@curveball/http-errors';
 import { Oauth2ClientsRecord } from 'knex/types/tables';
 import { wrapError, UniqueViolationError } from 'db-errors';
 
-import { OAuth2Client } from './types';
 import { PrincipalService } from '../principal/service';
 import db, { insertAndGetId } from '../database';
 import { InvalidRequest } from '../oauth2/errors';
 import parseBasicAuth from './parse-basic-auth';
-import { App, GrantType } from '../types';
+import { App, GrantType, OAuth2Client } from '../types';
 
 export async function findByClientId(clientId: string): Promise<OAuth2Client> {
 

src/oauth2/controller/active-sessions.ts

@@ -8,8 +8,12 @@ import { PrincipalService } from '../../principal/service';
 import * as oauth2Service from '../service';
 import * as oauth2ClientService from '../../oauth2-client/service';
 
-import { Principal, User, App } from '../../types';
-import { OAuth2Client } from '../../oauth2-client/types';
+import {
+  App,
+  OAuth2Client,
+  Principal,
+  User,
+} from '../../types';
 
 import { OAuth2Token } from '../types';
 

src/oauth2/controller/authorize.ts

@@ -1,11 +1,12 @@
+import * as querystring from 'querystring';
 import Controller from '@curveball/controller';
 import { Context } from '@curveball/core';
 import { NotFound, NotImplemented } from '@curveball/http-errors';
-import * as querystring from 'querystring';
+
 import { InvalidClient, InvalidRequest, UnsupportedGrantType } from '../errors';
 import * as oauth2Service from '../service';
 import { CodeChallengeMethod } from '../types';
-import { OAuth2Client } from '../../oauth2-client/types';
+import { OAuth2Client } from '../../types';
 import log from '../../log/service';
 import { EventType } from '../../log/types';
 import { findByClientId } from '../../oauth2-client/service';

src/oauth2/controller/revoke.ts

@@ -3,7 +3,7 @@ import { Context } from '@curveball/core';
 import log from '../../log/service';
 import { EventType } from '../../log/types';
 import { revokeByAccessRefreshToken } from '../service';
-import { OAuth2Client } from '../../oauth2-client/types';
+import { OAuth2Client } from '../../types';
 import {
   getOAuth2ClientFromBasicAuth,
   getOAuth2ClientFromBody,

src/oauth2/controller/token.ts

@@ -4,10 +4,9 @@ import log from '../../log/service';
 import { EventType } from '../../log/types';
 import { PrincipalService } from '../../principal/service';
 import * as userService from '../../user/service';
-import { User } from '../../types';
+import { User, OAuth2Client } from '../../types';
 import { InvalidGrant, InvalidRequest, UnsupportedGrantType } from '../errors';
 import * as oauth2Service from '../service';
-import { OAuth2Client } from '../../oauth2-client/types';
 import {
   getOAuth2ClientFromBasicAuth,
   getOAuth2ClientFromBody,

src/oauth2/formats/csv.ts

@@ -1,5 +1,5 @@
 import { OAuth2Token } from '../types';
-import { OAuth2Client } from '../../oauth2-client/types';
+import { OAuth2Client } from '../../types';
 
 import { stringify } from 'csv-stringify/sync';
 

src/oauth2/jwt.ts

@@ -1,5 +1,4 @@
-import { User, App } from '../types';
-import { OAuth2Client } from '../oauth2-client/types';
+import { User, App, OAuth2Client } from '../types';
 import { generateSecretToken } from '../crypto';
 import { getSetting } from '../server-settings';
 import { createPrivateKey, KeyObject, createPublicKey } from 'crypto';

src/oauth2/service.ts

@@ -6,11 +6,10 @@ import { getSetting } from '../server-settings';
 import { PrincipalService } from '../principal/service';
 import { InvalidGrant, InvalidRequest, UnauthorizedClient } from './errors';
 import { CodeChallengeMethod, OAuth2Code, OAuth2Token } from './types';
-import { OAuth2Client } from '../oauth2-client/types';
 import { generateSecretToken } from '../crypto';
 import { generateJWTAccessToken, generateJWTIDToken } from './jwt';
 import { Oauth2TokensRecord, Oauth2CodesRecord } from 'knex/types/tables';
-import { App, User, GrantType } from '../types';
+import { App, User, GrantType, OAuth2Client } from '../types';
 import * as userAppPermissionsService from '../user-app-permissions/service';
 
 const oauth2TokenFields: (keyof Oauth2TokensRecord)[] = [

src/types.ts

@@ -81,3 +81,46 @@ export type PrincipalStats = {
   app: number;
   group: number;
 };
+
+/**
+ * The OAuth2 client refers to a single (programmatic) client, accessing
+ * an API.
+ *
+ * OAuth2 clients are associated to 'Apps'. Each 'app' may have multiple
+ * OAuth2 clients.
+ */
+export type OAuth2Client = {
+
+  /**
+   * Unique, internal id.
+   */
+  id: number;
+
+  /**
+   * Route to this client
+   */
+  href: string;
+
+  /**
+   * A string that's used to configure OAuth2 clients.
+   */
+  clientId: string;
+
+
+  /**
+   * A secret string. This is hashed using bcrypt2
+   */
+  clientSecret: string;
+
+  app: App;
+
+  /**
+   * List of allowed grantTypes this client may use.
+   */
+  allowedGrantTypes: GrantType[];
+
+  /**
+   * Require PKCE for authorization_code flows.
+   */
+  requirePkce: boolean;
+};