Improve introspection endpoint (#2096)

2020-02-19 21:45:33 +01:00 · 2020-02-19 21:45:33 +01:00 · 5758e371bf
commit 5758e371bf
parent 95ad4cac37
2 changed files with 22 additions and 2 deletions
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
@ -1631,7 +1631,7 @@ sub introspection {
    my $rp = $self->checkEndPointAuthenticationCredentials($req);

    unless ($rp) {
-        return $self->p->sendError( $req, 'invalid_request', 400 );
+        return $self->p->sendError( $req, 'invalid_client', 401 );
    }

    if ( $self->conf->{oidcRPMetaDataOptions}->{$rp}
@ -1672,6 +1672,7 @@ sub introspection {
                  $self->oidcRPList->{ $oidcSession->{data}->{rp} }
                  ->{oidcRPMetaDataOptionsClientID}
                  if $oidcSession->{data}->{rp};
+                $response->{iss} = $self->iss;
                $response->{exp} =
                  $oidcSession->{data}->{_utime} + $self->conf->{timeout};
            }
--- a/lemonldap-ng-portal/t/32-OIDC-Token-Introspection.t
+++ b/lemonldap-ng-portal/t/32-OIDC-Token-Introspection.t
@ -76,7 +76,7 @@ my $op = LLNG::Manager::Test->new( {
                'loa-3' => 3
            },
            oidcServicePrivateKeySig => oidc_key_op_private_sig,
-            oidcServicePublicKeySig => oidc_key_op_public_sig,
+            oidcServicePublicKeySig  => oidc_key_op_public_sig,
        }
    }
 );
@ -132,6 +132,19 @@ my $token = $json->{access_token};
 ok( $token, 'Access token present' );

 $query = "token=$token";
+
+ok(
+    $res = $op->_post(
+        "/oauth2/introspect",
+        IO::String->new($query),
+        accept => 'application/json',
+        length => length($query),
+    ),
+    "Try introspection without authentication"
+);
+
+expectReject($res);
+
 ok(
    $res = $op->_post(
        "/oauth2/introspect",
@ -149,6 +162,12 @@ expectOK($res);
 $json = from_json( $res->[2]->[0] );
 ok( $json->{active}, "Token is valid" );
 is( $json->{sub}, "french", "Response contains the correct sub" );
+is( $json->{iss}, "http://auth.op.com",
+    "Response contains the correct issuer" );
+is( $json->{client_id}, "rpid", "Response contains the correct client id" );
+like( $json->{scope}, qr/\bopenid\b/,  "Response contains the correct scopes" );
+like( $json->{scope}, qr/\bprofile\b/, "Response contains the correct scopes" );
+like( $json->{scope}, qr/\bemail\b/,   "Response contains the correct scopes" );

 # Check status after expiration
 Time::Fake->offset("+2h");