Add introspection implementation - updated

README.md

@@ -23,6 +23,7 @@ The following RFCs are implemented:
 * [RFC6750 " The OAuth 2.0 Authorization Framework: Bearer Token Usage"](https://tools.ietf.org/html/rfc6750)
 * [RFC7519 "JSON Web Token (JWT)"](https://tools.ietf.org/html/rfc7519)
 * [RFC7636 "Proof Key for Code Exchange by OAuth Public Clients"](https://tools.ietf.org/html/rfc7636)
+* [RFC7662 "OAuth 2.0 Token Introspection"](https://tools.ietf.org/html/rfc7662)
 
 This library was created by Alex Bilbie. Find him on Twitter at [@alexbilbie](https://twitter.com/alexbilbie).
 

examples/public/introspect.php

@@ -0,0 +1,51 @@
+<?php
+
+use Laminas\Diactoros\Response;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\IntrospectionServer;
+use OAuth2ServerExamples\Repositories\AccessTokenRepository;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Slim\App;
+
+include __DIR__ . '/../vendor/autoload.php';
+
+$app = new App([
+    // Add the authorization server to the DI container
+    IntrospectionServer::class => function () {
+
+        // Setup the authorization server
+        $server = new IntrospectionServer(
+            new AccessTokenRepository(),
+            'file://' . __DIR__ . '/../public.key'
+        );
+
+        return $server;
+    },
+]);
+
+$app->post(
+    '/introspect',
+    function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
+        /* @var IntrospectionServer $server */
+        $server = $app->getContainer()->get(IntrospectionServer::class);
+
+        try {
+            // Try to respond to the introspection request
+            return $server->respondToIntrospectionRequest($request, new Response());
+        } catch (OAuthServerException $exception) {
+
+            // All instances of OAuthServerException can be converted to a PSR-7 response
+            return $exception->generateHttpResponse($response);
+        } catch (Exception $exception) {
+
+            // Catch unexpected exceptions
+            $body = $response->getBody();
+            $body->write($exception->getMessage());
+
+            return $response->withStatus(500)->withBody($body);
+        }
+    }
+);
+
+$app->run();

src/IntrospectionServer.php

@@ -0,0 +1,122 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\OAuth2\Server;
+
+use League\OAuth2\Server\AuthorizationValidators\AuthorizationValidatorInterface;
+use League\OAuth2\Server\AuthorizationValidators\BearerTokenValidator as AuthorizationBearerTokenValidator;
+use League\OAuth2\Server\IntrospectionValidators\BearerTokenValidator as IntrospectionBearerTokenValidator;
+use League\OAuth2\Server\IntrospectionValidators\IntrospectionValidatorInterface;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\ResponseTypes\Introspection\AbstractResponseType;
+use League\OAuth2\Server\ResponseTypes\Introspection\BearerTokenResponse;
+use League\OAuth2\Server\ResponseTypes\Introspection\ResponseTypeInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+
+class IntrospectionServer
+{
+    /**
+     * @var AccessTokenRepositoryInterface
+     */
+    protected $accessTokenRepository;
+
+    /**
+     * @var CryptKey
+     */
+    protected $publicKey;
+
+    /**
+     * @var AbstractResponseType
+     */
+    protected $responseType;
+
+    /**
+     * @var AuthorizationValidatorInterface|null
+     */
+    protected $authorizationValidator;
+
+    /**
+     * @var IntrospectionValidatorInterface|null
+     */
+    protected $introspectionValidator;
+
+    public function __construct(
+        AccessTokenRepositoryInterface $accessTokenRepository,
+        $publicKey,
+        IntrospectionValidatorInterface $introspectionValidator = null,
+        AuthorizationValidatorInterface $authorizationValidator = null,
+        ResponseTypeInterface $responseType = null
+    ) {
+        $this->accessTokenRepository = $accessTokenRepository;
+
+        if ($publicKey instanceof CryptKey === false) {
+            $publicKey = new CryptKey($publicKey);
+        }
+
+        $this->publicKey = $publicKey;
+        $this->introspectionValidator = $introspectionValidator;
+        $this->authorizationValidator = $authorizationValidator;
+
+        if ($responseType === null) {
+            $this->responseType = new BearerTokenResponse();
+        } else {
+            $this->responseType = clone $responseType;
+        }
+    }
+
+    /**
+     * Get the introspection validator
+     *
+     * @return IntrospectionValidatorInterface
+     */
+    protected function getIntrospectionValidator(): IntrospectionValidatorInterface
+    {
+        if ($this->introspectionValidator instanceof IntrospectionValidatorInterface === false) {
+            $this->introspectionValidator = new IntrospectionBearerTokenValidator($this->accessTokenRepository);
+
+            $this->introspectionValidator->setPublicKey($this->publicKey);
+        }
+
+        return $this->introspectionValidator;
+    }
+
+    /**
+     * Get the authorization validator
+     *
+     * @return AuthorizationValidatorInterface
+     */
+    protected function getAuthorizationValidator(): AuthorizationValidatorInterface
+    {
+        if ($this->authorizationValidator instanceof AuthorizationValidatorInterface === false) {
+            $this->authorizationValidator = new AuthorizationBearerTokenValidator($this->accessTokenRepository);
+
+            $this->authorizationValidator->setPublicKey($this->publicKey);
+        }
+
+        return $this->authorizationValidator;
+    }
+
+    /**
+     * Return an introspection response.
+     *
+     * @param ServerRequestInterface $request
+     * @param ResponseInterface      $response
+     *
+     * @return ResponseInterface
+     *
+     * @throws Exception\OAuthServerException
+     */
+    public function respondToIntrospectionRequest(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
+    {
+        $this->getAuthorizationValidator()->validateAuthorization($request);
+
+        $this->responseType->setRequest($request);
+        $this->responseType->setValidity(
+            $this->getIntrospectionValidator()->validateIntrospection($request)
+        );
+
+        return $this->responseType->generateHttpResponse($response);
+    }
+}

src/IntrospectionValidators/BearerTokenValidator.php

@@ -0,0 +1,152 @@
+<?php
+
+namespace League\OAuth2\Server\IntrospectionValidators;
+
+use DateTimeZone;
+use InvalidArgumentException;
+use Lcobucci\Clock\SystemClock;
+use Lcobucci\JWT\Configuration;
+use Lcobucci\JWT\Signer\Key\InMemory;
+use Lcobucci\JWT\Signer\Rsa\Sha256;
+use Lcobucci\JWT\Token;
+use Lcobucci\JWT\Validation\Constraint\SignedWith;
+use Lcobucci\JWT\Validation\Constraint\StrictValidAt;
+use Lcobucci\JWT\Validation\Constraint\ValidAt;
+use League\OAuth2\Server\CryptKey;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use Psr\Http\Message\ServerRequestInterface;
+
+class BearerTokenValidator implements IntrospectionValidatorInterface
+{
+    /**
+     * @var AccessTokenRepositoryInterface
+     */
+    private $accessTokenRepository;
+
+    /**
+     * @var CryptKey
+     */
+    protected $publicKey;
+
+    /**
+     * @var Configuration
+     */
+    protected $jwtConfiguration;
+
+    /**
+     * @param AccessTokenRepositoryInterface $accessTokenRepository
+     */
+    public function __construct(AccessTokenRepositoryInterface $accessTokenRepository)
+    {
+        $this->accessTokenRepository = $accessTokenRepository;
+    }
+
+    /**
+     * Set the private key.
+     *
+     * @param CryptKey $key
+     */
+    public function setPublicKey(CryptKey $key): void
+    {
+        $this->publicKey = $key;
+
+        $this->initJwtConfiguration();
+    }
+
+    /**
+     * Initialise the JWT configuration.
+     */
+    private function initJwtConfiguration(): void
+    {
+        $this->jwtConfiguration = Configuration::forSymmetricSigner(new Sha256(), InMemory::empty());
+
+        $this->jwtConfiguration->setValidationConstraints(
+            \class_exists(StrictValidAt::class)
+                ? new StrictValidAt(new SystemClock(new DateTimeZone(\date_default_timezone_get())))
+                : new ValidAt(new SystemClock(new DateTimeZone(\date_default_timezone_get()))),
+            new SignedWith(
+                new Sha256(),
+                InMemory::plainText($this->publicKey->getKeyContents(), $this->publicKey->getPassPhrase() ?? '')
+            )
+        );
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function validateIntrospection(ServerRequestInterface $request): bool
+    {
+        $this->validateIntrospectionRequest($request);
+
+        try {
+            $token = $this->getTokenFromRequest($request);
+        } catch (InvalidArgumentException $e) {
+            return false;
+        }
+
+        if (
+            !$this->isTokenValid($token) ||
+            $this->isTokenRevoked($token)
+        ) {
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * Gets the token from the request body.
+     *
+     * @param ServerRequestInterface $request
+     *
+     * @return Token
+     */
+    public function getTokenFromRequest(ServerRequestInterface $request): Token
+    {
+        $jwt = $request->getParsedBody()['token'] ?? '';
+
+        return $this->jwtConfiguration->parser()
+            ->parse($jwt);
+    }
+
+    /**
+     * Validate the introspection request.
+     *
+     * @param ServerRequestInterface $request
+     *
+     * @throws OAuthServerException
+     */
+    private function validateIntrospectionRequest(ServerRequestInterface $request): void
+    {
+        if ($request->getMethod() !== 'POST') {
+            throw OAuthServerException::accessDenied('Invalid request method');
+        }
+    }
+
+    /**
+     * Check if the given token is revoked.
+     *
+     * @param Token $token
+     *
+     * @return bool
+     */
+    private function isTokenRevoked(Token $token): bool
+    {
+        return $this->accessTokenRepository->isAccessTokenRevoked($token->claims()->get('jti'));
+    }
+
+    /**
+     * Check if the given token is valid
+     *
+     * @param Token $token
+     *
+     * @return bool
+     */
+    private function isTokenValid(Token $token): bool
+    {
+        $constraints = $this->jwtConfiguration->validationConstraints();
+
+        return $this->jwtConfiguration->validator()->validate($token, ...$constraints);
+    }
+}

src/IntrospectionValidators/IntrospectionValidatorInterface.php

@@ -0,0 +1,20 @@
+<?php
+
+namespace League\OAuth2\Server\IntrospectionValidators;
+
+use League\OAuth2\Server\Exception\OAuthServerException;
+use Psr\Http\Message\ServerRequestInterface;
+
+interface IntrospectionValidatorInterface
+{
+    /**
+     * Determine whether the introspection request is valid.
+     *
+     * @param ServerRequestInterface $request
+     *
+     * @throws OAuthServerException
+     *
+     * @return bool
+     */
+    public function validateIntrospection(ServerRequestInterface $request): bool;
+}