In previous versions, Red Hat Single Sign-On advertised two introspection endpoints: token_introspection_endpoint and introspection_endpoint.
The latter is the one defined by [RFC-8414](https://datatracker.ietf.org/doc/html/rfc8414#section-2). The former was deprecated and is now removed.
The implementation is backward compatible with OIDC configuration services returning deprecated token_introspection_endpoint. When both token_introspection_endpoint and introspection_endpoint fields are in the response of the OIDC configuration service, the latter takes preference as it is the one defined by RFC-8414.
[BREAKING CHANGE] When the introspection URL is not found for whatever reason, the request is rejected with 403 Forbidden. Before this change, the request was allowed by the introspection policy. IMO. if the introspection policy is added to the chain, it is expected that the token is inspected. If checking the token is not done because the URL is missing, the request is rejected. There were some tests that were passing (IMO unexpectedly) because of this issue. I have fixed them as well.
[X] Added unittests for the token introspection for the use_3scale_oidc_issuer_endpoint auth type (they were never implemented)
[X] Added e2e tests for the token introspection for the use_3scale_oidc_issuer_endpoint auth type.
Verification Steps
Setup Red Hat Single Sign-On >= 7.5 instance. 1 realms basic, clients and users
* Revoke token.
Go to Red Hat Single Sign-On admin application, and revoke the session (token) from the user menu. It's `Log out` in RH SSO site. Try to be fast so the token does not expire.
Run the same request, it should get `403 Forbidden`.
> APIcast logs should show something like "token introspection for access token ***** : token not active
> If the token has expired, the request is rejected at the `rewrite` phase, while the token introspection policy is executed at the `access` phase (which is after the `rewrite` phase).
What
Fix https://issues.redhat.com/browse/THREESCALE-10591
From RH-SSO 7.5 doc
The implementation is backward compatible with OIDC configuration services returning deprecated
token_introspection_endpoint
. When bothtoken_introspection_endpoint
andintrospection_endpoint
fields are in the response of the OIDC configuration service, the latter takes preference as it is the one defined by RFC-8414.[BREAKING CHANGE] When the introspection URL is not found for whatever reason, the request is rejected with
403 Forbidden
. Before this change, the request was allowed by the introspection policy. IMO. if the introspection policy is added to the chain, it is expected that the token is inspected. If checking the token is not done because the URL is missing, the request is rejected. There were some tests that were passing (IMO unexpectedly) because of this issue. I have fixed them as well.use_3scale_oidc_issuer_endpoint
auth type (they were never implemented)use_3scale_oidc_issuer_endpoint
auth type.Verification Steps
basic
, clients and usersintrospection_endpoint
(realmAnd the
token_introspection_endpoint
is gonebasic
and deployment type asAPIcast self-managed
App01
for product A. That will generateClient ID
andClient Secret
.GET /foo
auth_type
set touse_3scale_oidc_issuer_endpoint
basic
using client credentials from the applicationApp01
capture access token
ACCESS_TOKEN=eyJhb...
capture apicast IP
APICAST_IP=$(docker inspect apicast_build_0-development-1 | yq e -P '.[0].NetworkSettings.Networks.apicast_build_0_default.IPAddress' -)
curl -i -k -H "Host: example.com:443" -H "Accept: application/json" -H "Authorization: Bearer ${ACCESS_TOKEN}" "http://${APICAST_IP}:8080/foo"
HTTP/1.1 200 OK Server: openresty Date: Fri, 19 Jan 2024 23:36:32 GMT Content-Type: application/json Content-Length: 2008 Connection: keep-alive x-3scale-echo-api: echo-api/1.0.3 vary: Origin x-content-type-options: nosniff x-envoy-upstream-service-time: 0
curl -v -k -H "Host: example.com:443" -H "Accept: application/json" -H "Authorization: Bearer ${ACCESS_TOKEN}" "http://${APICAST_IP}:8080/foo"
HTTP/1.1 403 Forbidden Server: openresty Date: Fri, 19 Jan 2024 23:35:10 GMT Content-Type: text/plain; charset=us-ascii Transfer-Encoding: chunked Connection: keep-alive
Authentication failed