Fix issue and test invalid oapque tokens

MarcialRosales · MarcialRosales · commit 7c1ccf61a47e · 2025-07-18T15:55:16.000+02:00
diff --git a/deps/oauth2_client/src/oauth2_client.erl b/deps/oauth2_client/src/oauth2_client.erl
@@ -739,14 +739,22 @@ map_to_introspect_token_response(Code, Reason, Headers, Body) ->
             Error;
         Value ->
             case Code of
-                200 -> {ok, Value};
-                201 -> {ok, Value};
+                200 -> assert_token_is_active({ok, Value});
+                201 -> assert_token_is_active({ok, Value});
                 204 -> {ok, []};
                 400 -> {error, map_to_unsuccessful_introspect_token_response(Value)};
                 401 -> {error, map_to_unsuccessful_introspect_token_response(Value)};
                 _ ->   {error, Reason}
             end
     end.
+assert_token_is_active({ok, Response} = Value) ->
+    ct:log("Token : ~p", [Response]),
+    case maps:get(<<"active">>, Response, undefined) of 
+        undefined -> {error, introspected_token_not_valid};
+        false -> {error, introspected_token_not_valid};
+        true -> Value 
+    end.
+
 map_to_unsuccessful_introspect_token_response(Map) ->
     #unsuccessful_introspect_token_response{
         error = maps:get(?RESPONSE_ERROR, Map),
diff --git a/deps/oauth2_client/test/system_SUITE.erl b/deps/oauth2_client/test/system_SUITE.erl
@@ -49,10 +49,13 @@ groups() ->
                 cannot_introspect_due_to_missing_configuration,
                 {https, [], [
                     {with_introspection_basic_client_credentials, [], [
-                        can_introspect_token
+                        can_introspect_token                        
                     ]},
                     {with_introspection_request_param_client_credentials, [], [
                         can_introspect_token
+                    ]},
+                    {introspection_endpoint_returns_non_active_tokens, [], [
+                        introspected_token_is_not_active
                     ]}
                 ]}                
             ]},
@@ -215,6 +218,25 @@ init_per_group(with_introspection_basic_client_credentials, Config) ->
                 with_introspection_basic_client_credentials, Config)}
             
         ]} | Config];    
+init_per_group(introspection_endpoint_returns_non_active_tokens, Config) ->
+    application:set_env(rabbitmq_auth_backend_oauth2, introspection_client_id,
+        "some-client-id"),
+    application:set_env(rabbitmq_auth_backend_oauth2, introspection_client_secret,
+        "some-client-secret"),
+    application:set_env(rabbitmq_auth_backend_oauth2, introspection_client_auth_method,
+        basic),        
+    [{introspected_token_is_not_active, [
+            {introspection_endpoint, build_http_mock_behaviour(
+                build_introspection_token_request(?MOCK_OPAQUE_TOKEN, basic, <<"some-client-id">>, 
+                    <<"some-client-secret">>),
+                build_http_200_introspection_token_response([
+                    {active, false},
+                    {scope, <<"openid">>}            
+                ]))},
+            {get_openid_configuration, get_openid_configuration_http_expectation(
+                with_introspection_basic_client_credentials, Config)}
+            
+        ]} | Config]; 
 
 init_per_group(with_introspection_request_param_client_credentials, Config) ->    
     application:set_env(rabbitmq_auth_backend_oauth2, introspection_client_id,
@@ -723,6 +745,9 @@ cannot_introspect_due_to_missing_configuration(_Config)->
 can_introspect_token(_Config) ->
     {ok, _} = oauth2_client:introspect_token(?MOCK_OPAQUE_TOKEN).
 
+introspected_token_is_not_active(_Config) ->
+    {error, introspected_token_not_valid} = oauth2_client:introspect_token(?MOCK_OPAQUE_TOKEN).
+
 %%% HELPERS
 
 build_issuer(Scheme) ->
@@ -959,13 +984,15 @@ build_introspection_token_request(Token, request_param, ClientId, ClientSecret)
             {?REQUEST_CLIENT_SECRET, ClientSecret}
         ]).
 build_http_200_introspection_token_response() ->
+    build_http_200_introspection_token_response([
+            {active, true},
+            {scope, <<"openid">>}            
+    ]).
+build_http_200_introspection_token_response(PayloodList) ->
     [
         {code, 200},
         {content_type, ?CONTENT_JSON},
-        {payload, [
-            {active, true},
-            {scope, <<"openid">>}            
-        ]}
+        {payload, PayloodList}
     ].
 auth_server_error_when_access_token_request_expectation() ->
     build_http_mock_behaviour(build_http_request(
diff --git a/selenium/test/oauth/rabbitmq.opaque-token.conf b/selenium/test/oauth/rabbitmq.opaque-token.conf
@@ -0,0 +1,4 @@
+auth_oauth2.access_token_format = opaque
+auth_oauth2.introspection_client_auth_method = basic
+auth_oauth2.introspection_client_id = rabbitmq_client_code_opaque
+auth_oauth2.introspection_client_secret = rabbitmq_client_code_opaque
