Add introspection_endpoint to oauth2 schema

Author: MarcialRosales

deps/oauth2_client/include/oauth2_client.hrl

@@ -43,5 +43,6 @@
 -define(RESPONSE_TOKEN_ENDPOINT, <<"token_endpoint">>).
 -define(RESPONSE_AUTHORIZATION_ENDPOINT, <<"authorization_endpoint">>).
 -define(RESPONSE_END_SESSION_ENDPOINT, <<"end_session_endpoint">>).
+-define(RESPONSE_INTROSPECTION_ENDPOINT, <<"introspection_endpoint">>).
 -define(RESPONSE_JWKS_URI, <<"jwks_uri">>).
 -define(RESPONSE_TLS_OPTIONS, <<"ssl_options">>).

deps/oauth2_client/include/types.hrl

@@ -16,7 +16,8 @@
     token_endpoint :: option(uri_string:uri_string()),
     authorization_endpoint :: option(uri_string:uri_string()),
     end_session_endpoint :: option(uri_string:uri_string()),
-    jwks_uri :: option(uri_string:uri_string())
+    jwks_uri :: option(uri_string:uri_string()),
+    introspection_endpoint :: option(uri_string:uri_string()),
 }).
 -type openid_configuration() :: #openid_configuration{}.
 
@@ -29,6 +30,7 @@
     authorization_endpoint :: option(uri_string:uri_string()),
     end_session_endpoint :: option(uri_string:uri_string()),
     jwks_uri :: option(uri_string:uri_string()),
+    introspection_endpoint :: option(uri_string:uri_string()),
     ssl_options :: option(list())
 }).
 

deps/oauth2_client/src/oauth2_client.erl

@@ -120,10 +120,15 @@ merge_openid_configuration(OpenId, OAuthProvider0) ->
         EndSessionEndpoint ->
             OAuthProvider2#oauth_provider{end_session_endpoint = EndSessionEndpoint}
     end,
-    case OpenId#openid_configuration.jwks_uri of
+    OAuthProvider4 = case OpenId#openid_configuration.introspection_endpoint of
         undefined -> OAuthProvider3;
+        IntrospectionEndpoint ->
+            OAuthProvider3#oauth_provider{introspection_endpoint = IntrospectionEndpoint}
+    end,
+    case OpenId#openid_configuration.jwks_uri of
+        undefined -> OAuthProvider4;
         JwksUri ->
-            OAuthProvider3#oauth_provider{jwks_uri = JwksUri}
+            OAuthProvider4#oauth_provider{jwks_uri = JwksUri}
     end.
 
 -spec merge_oauth_provider(oauth_provider(), proplists:proplist()) ->
@@ -144,10 +149,10 @@ merge_oauth_provider(OAuthProvider, Proplist) ->
         EndSessionEndpoint -> [{end_session_endpoint, EndSessionEndpoint} |
             proplists:delete(end_session_endpoint, Proplist1)]
     end,
-    Proplist3 = case OAuthProvider#oauth_provider.tokeninfo_endpoint of
+    Proplist3 = case OAuthProvider#oauth_provider.introspection_endpoint of
         undefined ->  Proplist2;
-        TokenInfoEndpoint -> [{tokeninfo_endpoint, TokenInfoEndpoint} |
-            proplists:delete(tokeninfo_endpoint, Proplist2)]
+        IntrospectionEndpoint -> [{introspection_endpoint, IntrospectionEndpoint} |
+            proplists:delete(introspection_endpoint, Proplist2)]
     end,
     case OAuthProvider#oauth_provider.jwks_uri of
         undefined ->  Proplist3;
@@ -181,6 +186,8 @@ map_to_openid_configuration(Map) ->
             Map, undefined),
         end_session_endpoint = maps:get(?RESPONSE_END_SESSION_ENDPOINT,
             Map, undefined),
+        introspection_endpoint = maps:get(?RESPONSE_INTROSPECTION_ENDPOINT,
+            Map, undefined),
         jwks_uri = maps:get(?RESPONSE_JWKS_URI, Map, undefined)
     }.
 
@@ -220,6 +227,10 @@ do_update_oauth_provider_endpoints_configuration(OAuthProvider) when
         undefined -> do_nothing;
         EndSessionEndpoint -> set_env(end_session_endpoint, EndSessionEndpoint)
     end,
+    case OAuthProvider#oauth_provider.introspection_endpoint of
+        undefined -> do_nothing;
+        IntrospectionEndpoint -> set_env(introspection_endpoint, IntrospectionEndpoint)
+    end,
     case OAuthProvider#oauth_provider.jwks_uri of
         undefined -> do_nothing;
         JwksUri -> set_env(jwks_uri, JwksUri)
@@ -400,6 +411,7 @@ lookup_root_oauth_provider() ->
         token_endpoint = get_env(token_endpoint),
         authorization_endpoint = get_env(authorization_endpoint),
         end_session_endpoint = get_env(end_session_endpoint),
+        introspection_endpoint = get_env(introspection_endpoint),
         ssl_options = extract_ssl_options_as_list(Map)
     }.
 
@@ -589,6 +601,8 @@ map_to_oauth_provider(PropList) when is_list(PropList) ->
             proplists:get_value(authorization_endpoint, PropList, undefined),
         end_session_endpoint =
             proplists:get_value(end_session_endpoint, PropList, undefined),
+        introspection_endpoint = 
+            proplists:get_value(introspection_endpoint, PropList, undefined),
         jwks_uri =
             proplists:get_value(jwks_uri, PropList, undefined),
         ssl_options =
@@ -639,13 +653,14 @@ format_oauth_provider(OAuthProvider) ->
     lists:flatten(io_lib:format("{id: ~p, issuer: ~p, discovery_endpoint: ~p, " ++
         " token_endpoint: ~p, " ++
         "authorization_endpoint: ~p, end_session_endpoint: ~p, " ++
-        "jwks_uri: ~p, ssl_options: ~p }", [
+        "introspection_endpoint: ~p, jwks_uri: ~p, ssl_options: ~p }", [
         format_oauth_provider_id(OAuthProvider#oauth_provider.id),
         OAuthProvider#oauth_provider.issuer,
         OAuthProvider#oauth_provider.discovery_endpoint,
         OAuthProvider#oauth_provider.token_endpoint,
         OAuthProvider#oauth_provider.authorization_endpoint,
         OAuthProvider#oauth_provider.end_session_endpoint,
+        OAuthProvider#oauth_provider.introspection_endpoint,
         OAuthProvider#oauth_provider.jwks_uri,
         format_ssl_options(OAuthProvider#oauth_provider.ssl_options)])).
 

deps/oauth2_client/test/unit_SUITE.erl

@@ -109,6 +109,15 @@ merge_oauth_provider(_) ->
                   {token_endpoint, OAuthProvider4#oauth_provider.token_endpoint}],
                   Proplist5),
 
+    OAuthProvider5 = OAuthProvider4#oauth_provider{introspection_endpoint = "https://introspection"},
+    Proplist6 = oauth2_client:merge_oauth_provider(OAuthProvider5, Proplist5),
+    ?assertEqual([{jwks_uri, OAuthProvider5#oauth_provider.jwks_uri},
+                  {end_session_endpoint, OAuthProvider5#oauth_provider.end_session_endpoint},
+                  {authorization_endpoint, OAuthProvider5#oauth_provider.authorization_endpoint},
+                  {token_endpoint, OAuthProvider5#oauth_provider.token_endpoint},
+                  {introspection_endpoint, OAuthProvider5#oauth_provider.introspection_endpoint}],
+                  Proplist6),              
+
     % ensure id, issuer, ssl_options and discovery_endpoint are not affected
     ?assertEqual(OAuthProvider#oauth_provider.id,
         OAuthProvider4#oauth_provider.id),

deps/rabbitmq_auth_backend_oauth2/include/oauth2.hrl

@@ -48,7 +48,9 @@
   additional_scopes_key :: binary() | undefined,
   preferred_username_claims :: list(),
   scope_aliases :: map() | undefined,
-  oauth_provider_id :: oauth_provider_id()
+  oauth_provider_id :: oauth_provider_id(),
+  oauth_client_id :: binary() | undefined,
+  oauth_client_secret :: binary() | undefined 
  }).
 
 -type resource_server() :: #resource_server{}.

deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema

@@ -153,6 +153,19 @@
     rabbit_oauth2_schema:translate_signing_keys(Conf)
  end}.
 
+%% When RabbitMQ sends a request to the authorization server, such as to validate a token,
+%% it must authenticate with the authorization server
+
+{mapping, 
+ "auth_oauth2.oauth_client_id", 
+ "rabbitmq_auth_backend_oauth2.oauth_client_id",
+ [{datatype, string}]}.
+
+{mapping, 
+ "auth_oauth2.oauth_client_secret", 
+ "rabbitmq_auth_backend_oauth2.oauth_client_secret",
+[{datatype, string}]}.
+
 {mapping,
  "auth_oauth2.issuer",
  "rabbitmq_auth_backend_oauth2.issuer",
@@ -201,8 +214,8 @@
  end}.
 
 {mapping,
- "auth_oauth2.tokeninfo_endpoint",
- "rabbitmq_auth_backend_oauth2.tokeninfo_endpoint",
+ "auth_oauth2.introspection_endpoint",
+ "rabbitmq_auth_backend_oauth2.introspection_endpoint",
  [{datatype, string}, {validators, ["uri", "https_uri"]}]}.
 
 {mapping,
@@ -297,7 +310,7 @@
 }.
 
 {mapping,
-  "auth_oauth2.oauth_providers.$name.tokeninfo_endpoint",
+  "auth_oauth2.oauth_providers.$name.introspection_endpoint",
   "rabbitmq_auth_backend_oauth2.oauth_providers",
   [{datatype, string}, {validators, ["uri", "https_uri"]}]
 }.
@@ -419,6 +432,18 @@
  "rabbitmq_auth_backend_oauth2.resource_servers",
  [{datatype, string}]}.
 
+%% When RabbitMQ sends a request to the authorization server, such as to validate a token,
+%% it must authenticate with the authorization server
+{mapping, 
+ "auth_oauth2.resource_servers.$name.oauth_client_id", 
+ "rabbitmq_auth_backend_oauth2.resource_servers",
+ [{datatype, string}]}.
+
+{mapping, 
+ "auth_oauth2.resource_servers.$name.oauth_client_secret", 
+ "rabbitmq_auth_backend_oauth2.resource_servers",
+[{datatype, string}]}.
+
 
 {translation, "rabbitmq_auth_backend_oauth2.resource_servers",
  fun(Conf) ->