Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

token introspect remove client id constraint #363

Merged
merged 3 commits into from
Aug 24, 2024
Merged

token introspect remove client id constraint #363

merged 3 commits into from
Aug 24, 2024

Conversation

danj3
Copy link
Contributor

@danj3 danj3 commented Jul 30, 2024
edited by maennchen
Loading

resolves #364

previously could only introspect a client_id's own token, introspect needs to be able to introspect any token for an issuer.

It is my understanding from https://datatracker.ietf.org/doc/html/rfc7662 that introspect endpoint is valid for use with any token from the issuer, however the code prior to this change would reject a token when the client_id in the token was not the same as the client_id of the caller to introspect.

@maennchen
Copy link
Member

maennchen commented Jul 30, 2024
edited
Loading

@danj3 Thanks for the PR.

I agree with your understanding of the RFC. A valid token issued to any client should return a successful response.

However, this function is used in many places as a validation for a specific client. We therefore can't change the behavior without making it a breaking change.

A major release would have to entail refreshing all certifications which is a considerable amount of work. For this change only, I don't think it is benefit enough.

I therefore propose the following:

  • We introduce a new option check_issued_client (default: true)
  • We add a warning admonition block to the docs
  • We'll keep the issue open until release 4.0 is happening.

@danj3
Copy link
Contributor Author

danj3 commented Aug 7, 2024

@maennchen I think this follows the option route you had in mind. I did use a different option name, not intentionally, but may be more exact. Added tests for these scenarios as well.

Dan Janowski added 2 commits August 24, 2024 19:29
@maennchen
token introspect remove client id constraint
ce3723a 
previously could only introspect a client_id's own token, introspect
needs to be able to introspect any token for an issuer.
@maennchen
revert default introspect client_id behaviour, add option for issuer
6314cd2 
add client_self_only option with default of true to
require client_id match of self client_id and token client_id
when false, disables match and returns only introspect result.
@maennchen maennchen self-assigned this Aug 24, 2024
maennchen
maennchen previously approved these changes Aug 24, 2024
View reviewed changes
@maennchen maennchen merged commit 6aebbdc into erlef:main Aug 24, 2024
24 of 28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maennchen maennchen maennchen left review comments

Assignees

@maennchen maennchen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Token introspection, it seems to work incorrectly
2 participants
@danj3 @maennchen