feat: Add token introspection endpoint

lib/build/framework/request.d.ts

@@ -15,4 +15,5 @@ export declare abstract class BaseRequest {
     abstract getOriginalURL: () => string;
     getFormData: () => Promise<any>;
     getJSONBody: () => Promise<any>;
+    getBodyAsJSONOrFormData: () => Promise<any>;
 }

lib/build/framework/request.js

@@ -41,6 +41,26 @@ class BaseRequest {
             }
             return this.parsedJSONBody;
         };
+        this.getBodyAsJSONOrFormData = async () => {
+            const contentType = this.getHeaderValue("content-type");
+            if (contentType) {
+                if (contentType.startsWith("application/json")) {
+                    return await this.getJSONBody();
+                } else if (contentType.startsWith("application/x-www-form-urlencoded")) {
+                    return await this.getFormData();
+                }
+            } else {
+                try {
+                    return await this.getJSONBody();
+                } catch (_a) {
+                    try {
+                        return await this.getFormData();
+                    } catch (_b) {
+                        throw new Error("Unable to parse body as JSON or Form Data.");
+                    }
+                }
+            }
+        };
         this.wrapperUsed = true;
         this.parsedJSONBody = undefined;
         this.parsedUrlEncodedFormData = undefined;

lib/build/recipe/oauth2provider/api/implementation.js

@@ -49,6 +49,7 @@ function getAPIImplementation() {
         },
         tokenPOST: async (input) => {
             return input.options.recipeImplementation.tokenExchange({
+                authorizationHeader: input.authorizationHeader,
                 body: input.body,
                 userContext: input.userContext,
             });
@@ -79,6 +80,29 @@ function getAPIImplementation() {
                 userContext,
             });
         },
+        revokeTokenPOST: async (input) => {
+            if ("authorizationHeader" in input) {
+                return input.options.recipeImplementation.revokeToken({
+                    token: input.token,
+                    authorizationHeader: input.authorizationHeader,
+                    userContext: input.userContext,
+                });
+            } else {
+                return input.options.recipeImplementation.revokeToken({
+                    token: input.token,
+                    clientId: input.clientId,
+                    clientSecret: input.clientSecret,
+                    userContext: input.userContext,
+                });
+            }
+        },
+        introspectTokenPOST: async (input) => {
+            return input.options.recipeImplementation.introspectToken({
+                token: input.token,
+                scopes: input.scopes,
+                userContext: input.userContext,
+            });
+        },
     };
 }
 exports.default = getAPIImplementation;

lib/build/recipe/oauth2provider/api/introspectToken.d.ts

@@ -0,0 +1,8 @@
+// @ts-nocheck
+import { APIInterface, APIOptions } from "..";
+import { UserContext } from "../../../types";
+export default function introspectTokenPOST(
+    apiImplementation: APIInterface,
+    options: APIOptions,
+    userContext: UserContext
+): Promise<boolean>;

lib/build/recipe/oauth2provider/api/introspectToken.js

@@ -0,0 +1,37 @@
+"use strict";
+/* Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ * This software is licensed under the Apache License, Version 2.0 (the
+ * "License") as published by the Apache Software Foundation.
+ *
+ * You may not use this file except in compliance with the License. You may
+ * obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const utils_1 = require("../../../utils");
+async function introspectTokenPOST(apiImplementation, options, userContext) {
+    if (apiImplementation.introspectTokenPOST === undefined) {
+        return false;
+    }
+    const body = await options.req.getBodyAsJSONOrFormData();
+    if (body.token === undefined) {
+        utils_1.sendNon200ResponseWithMessage(options.res, "token is required in the request body", 400);
+        return true;
+    }
+    const scopes = body.scope ? body.scope.split(" ") : [];
+    let response = await apiImplementation.introspectTokenPOST({
+        options,
+        token: body.token,
+        scopes,
+        userContext,
+    });
+    utils_1.send200Response(options.res, response);
+    return true;
+}
+exports.default = introspectTokenPOST;

lib/build/recipe/oauth2provider/api/revokeToken.d.ts

@@ -0,0 +1,8 @@
+// @ts-nocheck
+import { APIInterface, APIOptions } from "..";
+import { UserContext } from "../../../types";
+export default function revokeTokenPOST(
+    apiImplementation: APIInterface,
+    options: APIOptions,
+    userContext: UserContext
+): Promise<boolean>;

lib/build/recipe/oauth2provider/api/revokeToken.js

@@ -0,0 +1,51 @@
+"use strict";
+/* Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ * This software is licensed under the Apache License, Version 2.0 (the
+ * "License") as published by the Apache Software Foundation.
+ *
+ * You may not use this file except in compliance with the License. You may
+ * obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const utils_1 = require("../../../utils");
+async function revokeTokenPOST(apiImplementation, options, userContext) {
+    if (apiImplementation.revokeTokenPOST === undefined) {
+        return false;
+    }
+    const body = await options.req.getBodyAsJSONOrFormData();
+    if (body.token === undefined) {
+        utils_1.sendNon200ResponseWithMessage(options.res, "token is required in the request body", 400);
+        return true;
+    }
+    const authorizationHeader = options.req.getHeaderValue("authorization");
+    if (authorizationHeader !== undefined && (body.client_id !== undefined || body.client_secret !== undefined)) {
+        utils_1.sendNon200ResponseWithMessage(
+            options.res,
+            "Only one of authorization header or client_id and client_secret can be provided",
+            400
+        );
+        return true;
+    }
+    let response = await apiImplementation.revokeTokenPOST({
+        options,
+        authorizationHeader,
+        token: body.token,
+        clientId: body.client_id,
+        clientSecret: body.client_secret,
+        userContext,
+    });
+    if ("statusCode" in response && response.statusCode !== 200) {
+        utils_1.sendNon200Response(options.res, response.statusCode, response);
+    } else {
+        utils_1.send200Response(options.res, response);
+    }
+    return true;
+}
+exports.default = revokeTokenPOST;

lib/build/recipe/oauth2provider/api/token.js

@@ -19,9 +19,11 @@ async function tokenPOST(apiImplementation, options, userContext) {
     if (apiImplementation.tokenPOST === undefined) {
         return false;
     }
+    const authorizationHeader = options.req.getHeaderValue("authorization");
     let response = await apiImplementation.tokenPOST({
+        authorizationHeader,
         options,
-        body: await options.req.getFormData(),
+        body: await options.req.getBodyAsJSONOrFormData(),
         userContext,
     });
     if ("statusCode" in response && response.statusCode !== 200) {

lib/build/recipe/oauth2provider/api/userInfo.js

@@ -26,7 +26,7 @@ async function userInfoGET(apiImplementation, tenantId, options, userContext) {
     if (apiImplementation.userInfoGET === undefined) {
         return false;
     }
-    const authHeader = options.req.getHeaderValue("authorization") || options.req.getHeaderValue("Authorization");
+    const authHeader = options.req.getHeaderValue("authorization");
     if (authHeader === undefined || !authHeader.startsWith("Bearer ")) {
         utils_1.sendNon200ResponseWithMessage(options.res, "Missing or invalid Authorization header", 401);
         return true;

lib/build/recipe/oauth2provider/constants.d.ts

@@ -5,3 +5,5 @@ export declare const AUTH_PATH = "/oauth/auth";
 export declare const TOKEN_PATH = "/oauth/token";
 export declare const LOGIN_INFO_PATH = "/oauth/login/info";
 export declare const USER_INFO_PATH = "/oauth/userinfo";
+export declare const REVOKE_TOKEN_PATH = "/oauth/revoke";
+export declare const INTROSPECT_TOKEN_PATH = "/oauth/introspect";

lib/build/recipe/oauth2provider/constants.js

@@ -14,10 +14,12 @@
  * under the License.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.USER_INFO_PATH = exports.LOGIN_INFO_PATH = exports.TOKEN_PATH = exports.AUTH_PATH = exports.LOGIN_PATH = exports.OAUTH2_BASE_PATH = void 0;
+exports.INTROSPECT_TOKEN_PATH = exports.REVOKE_TOKEN_PATH = exports.USER_INFO_PATH = exports.LOGIN_INFO_PATH = exports.TOKEN_PATH = exports.AUTH_PATH = exports.LOGIN_PATH = exports.OAUTH2_BASE_PATH = void 0;
 exports.OAUTH2_BASE_PATH = "/oauth/";
 exports.LOGIN_PATH = "/oauth/login";
 exports.AUTH_PATH = "/oauth/auth";
 exports.TOKEN_PATH = "/oauth/token";
 exports.LOGIN_INFO_PATH = "/oauth/login/info";
 exports.USER_INFO_PATH = "/oauth/userinfo";
+exports.REVOKE_TOKEN_PATH = "/oauth/revoke";
+exports.INTROSPECT_TOKEN_PATH = "/oauth/introspect";

lib/build/recipe/oauth2provider/index.d.ts

@@ -11,6 +11,20 @@ import {
 } from "./types";
 export default class Wrapper {
     static init: typeof Recipe.init;
+    static getOAuth2Client(
+        clientId: string,
+        userContext?: Record<string, any>
+    ): Promise<
+        | {
+              status: "OK";
+              client: import("./OAuth2Client").OAuth2Client;
+          }
+        | {
+              status: "ERROR";
+              error: string;
+              errorHint: string;
+          }
+    >;
     static getOAuth2Clients(
         input: GetOAuth2ClientsInput,
         userContext?: Record<string, any>
@@ -99,6 +113,22 @@ export default class Wrapper {
         audience?: string,
         userContext?: Record<string, any>
     ): Promise<import("./types").ErrorOAuth2 | import("./types").TokenInfo>;
+    static revokeToken(
+        token: string,
+        clientId: string,
+        clientSecret?: string,
+        userContext?: Record<string, any>
+    ): Promise<
+        | import("./types").ErrorOAuth2
+        | {
+              status: "OK";
+          }
+    >;
+    static validateOAuth2RefreshToken(
+        token: string,
+        scopes?: string[],
+        userContext?: Record<string, any>
+    ): Promise<import("./types").InstrospectTokenResponse>;
 }
 export declare let init: typeof Recipe.init;
 export declare let getOAuth2Clients: typeof Wrapper.getOAuth2Clients;
@@ -108,4 +138,5 @@ export declare let deleteOAuth2Client: typeof Wrapper.deleteOAuth2Client;
 export declare let validateOAuth2AccessToken: typeof Wrapper.validateOAuth2AccessToken;
 export declare let validateOAuth2IdToken: typeof Wrapper.validateOAuth2IdToken;
 export declare let createTokenForClientCredentials: typeof Wrapper.createTokenForClientCredentials;
+export declare let revokeToken: typeof Wrapper.revokeToken;
 export type { APIInterface, APIOptions, RecipeInterface };

lib/build/recipe/oauth2provider/index.js

@@ -19,10 +19,15 @@ var __importDefault =
         return mod && mod.__esModule ? mod : { default: mod };
     };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createTokenForClientCredentials = exports.validateOAuth2IdToken = exports.validateOAuth2AccessToken = exports.deleteOAuth2Client = exports.updateOAuth2Client = exports.createOAuth2Client = exports.getOAuth2Clients = exports.init = void 0;
+exports.revokeToken = exports.createTokenForClientCredentials = exports.validateOAuth2IdToken = exports.validateOAuth2AccessToken = exports.deleteOAuth2Client = exports.updateOAuth2Client = exports.createOAuth2Client = exports.getOAuth2Clients = exports.init = void 0;
 const utils_1 = require("../../utils");
 const recipe_1 = __importDefault(require("./recipe"));
 class Wrapper {
+    static async getOAuth2Client(clientId, userContext) {
+        return await recipe_1.default
+            .getInstanceOrThrowError()
+            .recipeInterfaceImpl.getOAuth2Client({ clientId }, utils_1.getUserContext(userContext));
+    }
     static async getOAuth2Clients(input, userContext) {
         return await recipe_1.default
             .getInstanceOrThrowError()
@@ -71,6 +76,41 @@ class Wrapper {
             userContext: utils_1.getUserContext(userContext),
         });
     }
+    static async revokeToken(token, clientId, clientSecret, userContext) {
+        let authorizationHeader = undefined;
+        const normalisedUserContext = utils_1.getUserContext(userContext);
+        const recipeInterfaceImpl = recipe_1.default.getInstanceOrThrowError().recipeInterfaceImpl;
+        const res = await recipeInterfaceImpl.getOAuth2Client({ clientId }, normalisedUserContext);
+        if (res.status !== "OK") {
+            throw new Error(`Failed to get OAuth2 client with id ${clientId}: ${res.error}`);
+        }
+        const { tokenEndpointAuthMethod } = res.client;
+        if (tokenEndpointAuthMethod === "none") {
+            authorizationHeader = "Basic " + Buffer.from(clientId + ":").toString("base64");
+        } else if (tokenEndpointAuthMethod === "client_secret_basic") {
+            authorizationHeader = "Basic " + Buffer.from(clientId + ":" + clientSecret).toString("base64");
+        }
+        if (authorizationHeader !== undefined) {
+            return await recipeInterfaceImpl.revokeToken({
+                token,
+                authorizationHeader,
+                userContext: normalisedUserContext,
+            });
+        }
+        return await recipeInterfaceImpl.revokeToken({
+            token,
+            clientId,
+            clientSecret,
+            userContext: normalisedUserContext,
+        });
+    }
+    static validateOAuth2RefreshToken(token, scopes, userContext) {
+        return recipe_1.default.getInstanceOrThrowError().recipeInterfaceImpl.introspectToken({
+            token,
+            scopes,
+            userContext: utils_1.getUserContext(userContext),
+        });
+    }
 }
 exports.default = Wrapper;
 Wrapper.init = recipe_1.default.init;
@@ -82,3 +122,4 @@ exports.deleteOAuth2Client = Wrapper.deleteOAuth2Client;
 exports.validateOAuth2AccessToken = Wrapper.validateOAuth2AccessToken;
 exports.validateOAuth2IdToken = Wrapper.validateOAuth2IdToken;
 exports.createTokenForClientCredentials = Wrapper.createTokenForClientCredentials;
+exports.revokeToken = Wrapper.revokeToken;