oauth2/introspection: configure core validator with access only option (

ory#208) Signed-off-by: Beorn Facchini <beornf@gmail.com>
budougumi0617 · Aug 21, 2017 · a33a647 · a33a647
1 parent adc482d
commit a33a647
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 4 deletions.
diff --git a/compose/compose_oauth2.go b/compose/compose_oauth2.go
@@ -81,9 +81,10 @@ func OAuth2TokenRevocationFactory(config *Config, storage interface{}, strategy
 // an access token and refresh token validator.
 func OAuth2TokenIntrospectionFactory(config *Config, storage interface{}, strategy interface{}) interface{} {
 	return &oauth2.CoreValidator{
-		CoreStrategy:  strategy.(oauth2.CoreStrategy),
-		CoreStorage:   storage.(oauth2.CoreStorage),
-		ScopeStrategy: config.GetScopeStrategy(),
+		CoreStrategy:                  strategy.(oauth2.CoreStrategy),
+		CoreStorage:                   storage.(oauth2.CoreStorage),
+		ScopeStrategy:                 config.GetScopeStrategy(),
+		DisableRefreshTokenValidation: config.DisableRefreshTokenValidation,
 	}
 }
 

diff --git a/compose/config.go b/compose/config.go
@@ -19,6 +19,9 @@ type Config struct {
 	// HashCost sets the cost of the password hashing cost. Defaults to 12.
 	HashCost int
 
+	// DisableRefreshTokenValidation sets the introspection endpoint to disable refresh token validation.
+	DisableRefreshTokenValidation bool
+
 	ScopeStrategy fosite.ScopeStrategy
 }
 

diff --git a/handler/oauth2/introspector.go b/handler/oauth2/introspector.go
@@ -10,10 +10,15 @@ import (
 type CoreValidator struct {
 	CoreStrategy
 	CoreStorage
-	ScopeStrategy fosite.ScopeStrategy
+	ScopeStrategy                 fosite.ScopeStrategy
+	DisableRefreshTokenValidation bool
 }
 
 func (c *CoreValidator) IntrospectToken(ctx context.Context, token string, tokenType fosite.TokenType, accessRequest fosite.AccessRequester, scopes []string) (err error) {
+	if c.DisableRefreshTokenValidation {
+		return c.introspectAccessToken(ctx, token, accessRequest, scopes)
+	}
+
 	switch tokenType {
 	case fosite.RefreshToken:
 		if err = c.introspectRefreshToken(ctx, token, accessRequest, scopes); err == nil {

diff --git a/handler/oauth2/introspector_test.go b/handler/oauth2/introspector_test.go
@@ -61,6 +61,14 @@ func TestIntrospectToken(t *testing.T) {
 			},
 			expectErr: fosite.ErrTokenExpired,
 		},
+		{
+			description: "should fail because access token invalid",
+			setup: func() {
+				v.DisableRefreshTokenValidation = true
+				chgen.EXPECT().ValidateAccessToken(nil, areq, "1234").Return(errors.WithStack(fosite.ErrInvalidTokenFormat))
+			},
+			expectErr: fosite.ErrInvalidTokenFormat,
+		},
 		{
 			description: "should pass",
 			setup: func() {