feat: improve token introspection endpoint (#534)

* feat: add introspection endpoint to oidc discovery endpoint

* fix: let introspect endpoint handle formData as spec define.

Signed-off-by: Leon <leondevlifelog@gmail.com>

controllers/token.go

@@ -237,12 +237,12 @@ func (c *ApiController) TokenLogout() {
 //  representing the meta information surrounding the
 //  token, including whether this token is currently active.
 //  This endpoint only support Basic Authorization.
-// @Param body body {object.TokenIntrospectionRequest} true "the request body"
+// @Param token formData string true "access_token's value or refresh_token's value"
+// @Param token_type_hint formData string true "the token type access_token or refresh_token"
 // @Success 200 {object} object.IntrospectionResponse The Response object
 // @router /login/oauth/introspect [post]
 func (c *ApiController) IntrospectToken() {
-	var body object.TokenIntrospectionRequest
+	tokenValue := c.Input().Get("token")
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &body)
 	clientId, clientSecret, ok := c.Ctx.Request.BasicAuth()
 	if !ok {
 		util.LogWarning(c.Ctx, "Basic Authorization parses failed")
@@ -257,14 +257,14 @@ func (c *ApiController) IntrospectToken() {
 		c.ServeJSON()
 		return
 	}
-	token := object.GetTokenByTokenAndApplication(body.Token, application.Name)
+	token := object.GetTokenByTokenAndApplication(tokenValue, application.Name)
 	if token == nil {
 		util.LogWarning(c.Ctx, "application: %s can not find token", application.Name)
 		c.Data["json"] = &object.IntrospectionResponse{Active: false}
 		c.ServeJSON()
 		return
 	}
-	jwtToken, err := object.ParseJwtTokenByApplication(body.Token, application)
+	jwtToken, err := object.ParseJwtTokenByApplication(tokenValue, application)
 	if err != nil || jwtToken.Valid() != nil {
 		// and token revoked case. but we not implement
 		// TODO: 2022-03-03 add token revoked check, when we implemented the Token Revocation(rfc7009) Specs.

object/oidc_discovery.go

@@ -30,6 +30,7 @@ type OidcDiscovery struct {
 	TokenEndpoint                          string   `json:"token_endpoint"`
 	UserinfoEndpoint                       string   `json:"userinfo_endpoint"`
 	JwksUri                                string   `json:"jwks_uri"`
+	IntrospectionEndpoint                  string   `json:"introspection_endpoint"`
 	ResponseTypesSupported                 []string `json:"response_types_supported"`
 	ResponseModesSupported                 []string `json:"response_modes_supported"`
 	GrantTypesSupported                    []string `json:"grant_types_supported"`
@@ -74,6 +75,7 @@ func GetOidcDiscovery(host string) OidcDiscovery {
 		TokenEndpoint:                          fmt.Sprintf("%s/api/login/oauth/access_token", originBackend),
 		UserinfoEndpoint:                       fmt.Sprintf("%s/api/userinfo", originBackend),
 		JwksUri:                                fmt.Sprintf("%s/.well-known/jwks", originBackend),
+		IntrospectionEndpoint:                  fmt.Sprintf("%s/api/login/oauth/introspect", originBackend),
 		ResponseTypesSupported:                 []string{"id_token"},
 		ResponseModesSupported:                 []string{"login", "code", "link"},
 		GrantTypesSupported:                    []string{"password", "authorization_code"},

object/token.go

@@ -60,14 +60,6 @@ type TokenWrapper struct {
 	Scope        string `json:"scope"`
 }
 
-type TokenIntrospectionRequest struct {
-	// access_token's value or refresh_token's value
-	Token string `json:"token"`
-	// pass this parameter to help the authorization server optimize the token lookup.
-	// value is one of `access_token` or `refresh_token`
-	TokenTypeHint string `json:"token_type_hint,omitempty"`
-}
-
 type IntrospectionResponse struct {
 	Active    bool     `json:"active"`
 	Scope     string   `json:"scope,omitempty"`