lua-resty-openidc icon indicating copy to clipboard operation
lua-resty-openidc copied to clipboard

Published 20 hours ago verified publisher icon zmartzone

Support token_type_hint for introspection endpoint

Open jerneyio opened this issue 6 years ago • 3 comments

Is there any interest in supporting the optional token_type_hint parameter in the token introspection request? See: https://tools.ietf.org/html/rfc7662#section-2.1

I have this working on my fork, would just need to clean it up and merge.

Any documentation/tests I should update as well?

jerneyio avatar Nov 14 '18 17:11 jerneyio

you mean that it is always added and set to access_token?

zandbelt avatar Nov 14 '18 21:11 zandbelt

That might be a reasonable default, but there are other potential values. For example, refresh_token. Also, consider Keycloak: https://www.keycloak.org/docs/2.5/authorization_services/topics/service/protection/token-introspection.html.

Example request:

curl -X POST \
    -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpzZWNyZXQ=" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'token_type_hint=requesting_party_token&token=${RPT}' \
    "http://localhost:8080/auth/realms/hello-world-authz/protocol/openid-connect/token/introspect"

jerneyio avatar Nov 15 '18 01:11 jerneyio

ah yes, I forgot that this routine is called by apps; those same apps may want to use it to refresh a refresh token or else, so I'd be happy to merge the PR

zandbelt avatar Nov 15 '18 07:11 zandbelt