feat: add extra parameter to token_introspection

From https://datatracker.ietf.org/doc/html/rfc7662#section-2.2: > Specific implementations MAY extend this structure with their own > service-specific response names as top-level members of this JSON > object.
erlef · Dec 9, 2023 · 6daab69 · 6daab69
1 parent 20715ae
commit 6daab69
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 7 deletions.
diff --git a/include/oidcc_token_introspection.hrl b/include/oidcc_token_introspection.hrl
@@ -3,9 +3,17 @@
 -record(oidcc_token_introspection, {
     active :: boolean(),
     client_id :: binary(),
-    exp :: pos_integer(),
+    exp :: pos_integer() | undefined,
     scope :: oidcc_scope:scopes(),
-    username :: binary()
+    username :: binary() | undefined,
+    token_type :: binary() | undefined,
+    iat :: pos_integer() | undefined,
+    nbf :: pos_integer() | undefined,
+    sub :: binary() | undefined,
+    aud :: binary() | undefined,
+    iss :: binary() | undefined,
+    jti :: binary() | undefined,
+    extra :: #{binary() := term()}
 }).
 
 -define(OIDCC_TOKEN_INTROSPECTION_HRL, 1).

diff --git a/lib/oidcc/token_introspection.ex b/lib/oidcc/token_introspection.ex
@@ -45,9 +45,17 @@ defmodule Oidcc.TokenIntrospection do
   @type t() :: %__MODULE__{
           active: boolean(),
           client_id: binary(),
-          exp: pos_integer(),
+          exp: pos_integer() | :undefined,
           scope: :oidcc_scope.scopes(),
-          username: binary()
+          username: binary() | :undefined,
+          token_type: binary() | :undefined,
+          iat: pos_integer() | :undefined,
+          nbf: pos_integer() | :undefined,
+          sub: binary() | :undefined,
+          aud: binary() | :undefined,
+          iss: binary() | :undefined,
+          jti: binary() | :undefined,
+          extra: %{binary() => term()}
         }
 
   @doc """

diff --git a/src/oidcc_token_introspection.erl b/src/oidcc_token_introspection.erl
@@ -161,7 +161,14 @@ extract_response(TokenMap, #oidcc_client_context{client_id = ClientId}) ->
         end,
     Scope = maps:get(<<"scope">>, TokenMap, <<"">>),
     Username = maps:get(<<"username">>, TokenMap, undefined),
+    TokenType = maps:get(<<"token_type">>, TokenMap, undefined),
     Exp = maps:get(<<"exp">>, TokenMap, undefined),
+    Iat = maps:get(<<"iat">>, TokenMap, undefined),
+    Nbf = maps:get(<<"nbf">>, TokenMap, undefined),
+    Sub = maps:get(<<"sub">>, TokenMap, undefined),
+    Aud = maps:get(<<"aud">>, TokenMap, undefined),
+    Iss = maps:get(<<"iss">>, TokenMap, undefined),
+    Jti = maps:get(<<"jti">>, TokenMap, undefined),
     case maps:get(<<"client_id">>, TokenMap, undefined) of
         IntrospectionClientId when
             IntrospectionClientId == ClientId; IntrospectionClientId == undefined
@@ -171,7 +178,31 @@ extract_response(TokenMap, #oidcc_client_context{client_id = ClientId}) ->
                 scope = oidcc_scope:parse(Scope),
                 client_id = ClientId,
                 username = Username,
-                exp = Exp
+                exp = Exp,
+                token_type = TokenType,
+                iat = Iat,
+                nbf = Nbf,
+                sub = Sub,
+                aud = Aud,
+                iss = Iss,
+                jti = Jti,
+                extra = maps:without(
+                    [
+                        <<"scope">>,
+                        <<"active">>,
+                        <<"username">>,
+                        <<"exp">>,
+                        <<"client_id">>,
+                        <<"token_type">>,
+                        <<"iat">>,
+                        <<"nbf">>,
+                        <<"sub">>,
+                        <<"aud">>,
+                        <<"iss">>,
+                        <<"jti">>
+                    ],
+                    TokenMap
+                )
             }};
         _ ->
             {error, client_id_mismatch}

diff --git a/test/oidcc_token_introspection_test.erl b/test/oidcc_token_introspection_test.erl
@@ -31,12 +31,20 @@ introspect_test() ->
             _RequestOpts
         ) ->
             IntrospectionEndpoint = ReqEndpoint,
-            {ok, {{json, #{<<"active">> => true, <<"client_id">> => ClientId}}, []}}
+            {ok,
+                {
+                    {json, #{
+                        <<"active">> => true,
+                        <<"client_id">> => ClientId,
+                        <<"extra">> => <<"value">>
+                    }},
+                    []
+                }}
         end,
     ok = meck:expect(oidcc_http_util, request, HttpFun),
 
     ?assertMatch(
-        {ok, #oidcc_token_introspection{active = true}},
+        {ok, #oidcc_token_introspection{active = true, extra = #{<<"extra">> := <<"value">>}}},
         oidcc_token_introspection:introspect(
             AccessToken,
             ClientContext,