Enable caching of negative introspection responses

zmartzone · Sep 16, 2024 · 03ec1d3 · 03ec1d3
1 parent 4702769
commit 03ec1d3
Showing 1 changed file with 10 additions and 6 deletions.
diff --git a/lib/resty/openidc.lua b/lib/resty/openidc.lua
@@ -1780,6 +1780,11 @@ function openidc.introspect(opts)
 
  if v then
  json = cjson.decode(v)
+
+ if not json or not json.active then
+ err = "invalid cached token"
+ end
+
  return json, err
  end
 
@@ -1810,20 +1815,15 @@ function openidc.introspect(opts)
  end
  json, err = openidc.call_token_endpoint(opts, introspection_endpoint, body, opts.introspection_endpoint_auth_method, "introspection")
 
-
  if not json then
  return json, err
  end
 
- if not json.active then
- err = "invalid token"
- return json, err
- end
-
  -- cache the results
  local introspection_cache_ignore = opts.introspection_cache_ignore or false
  local expiry_claim = opts.introspection_expiry_claim or "exp"
 
+
  if not introspection_cache_ignore and json[expiry_claim] then
  local introspection_interval = opts.introspection_interval or 0
  local ttl = json[expiry_claim]
@@ -1839,6 +1839,10 @@ function openidc.introspect(opts)
  set_cached_introspection(opts, access_token, cjson.encode(json), ttl)
  end
 
+ if not json.active then
+ err = "invalid token"
+ end
+
  return json, err
 
 end