[PR #405] [MERGED] feat: implement token introspection #831

New Issue

OVERLORD · 2025-10-08T00:18:01+03:00

OVERLORD commented

2025-10-08 00:18:01 +03:00

📋 Pull Request Information

Original PR: https://github.com/pocket-id/pocket-id/pull/405
Author: @aksdb
Created: 3/30/2025
Status: ✅ Merged
Merged: 4/9/2025
Merged by: @stonith404

Base: main ← Head: feat/introspection

📝 Commits (10+)

ac0bf12 feat: implement token introspection
2e13c09 Merge branch 'main' into feat/introspection
410e91e feat: expect API behavior for introspection
3a8d122 feat: introspect refresh_token
c3f4fb7 use cors middleware, rename token handler
1849aaf Merge branch 'main' into feat/introspection
5fd2dcc use switch statment
5c03357 docs: fix copy&pasted comment to actually reflect the implementation
8fe0008 Merge branch 'main' into feat/introspection
c925831 fix: use better suited verify method

📊 Changes

9 files changed (+416 additions, -14 deletions)

View changed files

📝 backend/internal/controller/oidc_controller.go (+35 -3)
📝 backend/internal/controller/well_known_controller.go (+1 -0)
📝 backend/internal/dto/oidc_dto.go (+17 -0)
📝 backend/internal/middleware/cors.go (+8 -1)
📝 backend/internal/service/jwt_service.go (+76 -2)
📝 backend/internal/service/jwt_service_test.go (+66 -1)
📝 backend/internal/service/oidc_service.go (+89 -0)
📝 frontend/tests/data.ts (+34 -2)
📝 frontend/tests/oidc.spec.ts (+90 -5)

📄 Description

This PR implements the token introspection as requested in ticket #395.

It fulfills RFC 7662 as far as I can tell (at least the client that required it is happy with the result).

The endpoint requires a client_id/client_secret pair for authentication, so no random attackers can use it to fish for valid tokens (although that attack vector is pretty limited currently, since we don't offer any token revocation anyway). Potentially we could also allow API token auth for this endpoint, but for now it should be a good start with clientid/clientsecret already.

It also allows checking for the validity of a refresh_token.

Fixes: https://github.com/pocket-id/pocket-id/issues/395

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/pocket-id/pocket-id/pull/405 **Author:** [@aksdb](https://github.com/aksdb) **Created:** 3/30/2025 **Status:** ✅ Merged **Merged:** 4/9/2025 **Merged by:** [@stonith404](https://github.com/stonith404) **Base:** `main` ← **Head:** `feat/introspection` --- ### 📝 Commits (10+) - [`ac0bf12`](https://github.com/pocket-id/pocket-id/commit/ac0bf12703df3f54e4d8e060305b18acd4a625a7) feat: implement token introspection - [`2e13c09`](https://github.com/pocket-id/pocket-id/commit/2e13c09e77e1d38d5e4f5c002d3771552303d610) Merge branch 'main' into feat/introspection - [`410e91e`](https://github.com/pocket-id/pocket-id/commit/410e91e74dbe549d416640ea0d769de2d4c2cc1c) feat: expect API behavior for introspection - [`3a8d122`](https://github.com/pocket-id/pocket-id/commit/3a8d122607da613dd509dae4bd75cfbccc9263d7) feat: introspect refresh_token - [`c3f4fb7`](https://github.com/pocket-id/pocket-id/commit/c3f4fb7210260ac207e87481c593a1e43601e35e) use cors middleware, rename token handler - [`1849aaf`](https://github.com/pocket-id/pocket-id/commit/1849aafcf44f77b9f528476fb5256d2b0fe0418a) Merge branch 'main' into feat/introspection - [`5fd2dcc`](https://github.com/pocket-id/pocket-id/commit/5fd2dcc1191e61eb5308c85584e78d382ba4e848) use switch statment - [`5c03357`](https://github.com/pocket-id/pocket-id/commit/5c03357a01b656701f814481456f030ce91af4dc) docs: fix copy&pasted comment to actually reflect the implementation - [`8fe0008`](https://github.com/pocket-id/pocket-id/commit/8fe00081be7925e7aa022dab38a6754ac4529721) Merge branch 'main' into feat/introspection - [`c925831`](https://github.com/pocket-id/pocket-id/commit/c925831e15cdb0bd039a16b6cd029ce0ef6dea2d) fix: use better suited verify method ### 📊 Changes **9 files changed** (+416 additions, -14 deletions) <details> <summary>View changed files</summary> 📝 `backend/internal/controller/oidc_controller.go` (+35 -3) 📝 `backend/internal/controller/well_known_controller.go` (+1 -0) 📝 `backend/internal/dto/oidc_dto.go` (+17 -0) 📝 `backend/internal/middleware/cors.go` (+8 -1) 📝 `backend/internal/service/jwt_service.go` (+76 -2) 📝 `backend/internal/service/jwt_service_test.go` (+66 -1) 📝 `backend/internal/service/oidc_service.go` (+89 -0) 📝 `frontend/tests/data.ts` (+34 -2) 📝 `frontend/tests/oidc.spec.ts` (+90 -5) </details> ### 📄 Description This PR implements the token introspection as requested in ticket #395. It fulfills RFC 7662 as far as I can tell (at least the client that required it is happy with the result). The endpoint requires a `client_id`/`client_secret` pair for authentication, so no random attackers can use it to fish for valid tokens (although that attack vector is pretty limited currently, since we don't offer any token revocation anyway). Potentially we could also allow API token auth for this endpoint, but for now it should be a good start with clientid/clientsecret already. It also allows checking for the validity of a `refresh_token`. Fixes: https://github.com/pocket-id/pocket-id/issues/395 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

OVERLORD added the pull-request label 2025-10-08 00:18:01 +03:00

OVERLORD closed this issue

2025-10-08 00:18:03 +03:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#831