THREESCALE-10591 token instrospection field removed

[eguzki]

What

Fix https://issues.redhat.com/browse/THREESCALE-10591

From RH-SSO 7.5 doc

In previous versions, Red Hat Single Sign-On advertised two introspection endpoints: token_introspection_endpoint and introspection_endpoint. 

The latter is the one defined by [RFC-8414](https://datatracker.ietf.org/doc/html/rfc8414#section-2). The former was deprecated and is now removed.

The implementation is backward compatible with OIDC configuration services returning deprecated token_introspection_endpoint. When both token_introspection_endpoint and introspection_endpoint fields are in the response of the OIDC configuration service, the latter takes preference as it is the one defined by RFC-8414.

[BREAKING CHANGE] When the introspection URL is not found for whatever reason, the request is rejected with 403 Forbidden. Before this change, the request was allowed by the introspection policy. IMO. if the introspection policy is added to the chain, it is expected that the token is inspected. If checking the token is not done because the URL is missing, the request is rejected. There were some tests that were passing (IMO unexpectedly) because of this issue. I have fixed them as well.

• [X] Added unittests for the token introspection for the use_3scale_oidc_issuer_endpoint auth type (they were never implemented)
• [X] Added e2e tests for the token introspection for the use_3scale_oidc_issuer_endpoint auth type.

Verification Steps

• Setup Red Hat Single Sign-On >= 7.5 instance. 1 realms basic, clients and users
• Install 3scale
  • Integrating 3scale with Red Hat Single Sign-On as the OpenID Connect identity provider
• The OIDC service configuration endpoint only provides introspection_endpoint (realm

  curl https://keycloak.example.com/auth/realms/basic/.well-known/openid-configuration 2>/dev/null | yq e '.introspection_endpoint'
  https://keycloak.example.com/auth/realms/basic/protocol/openid-connect/token/introspect

  And the token_introspection_endpoint is gone

  curl https://keycloak.example.com/auth/realms/basic/.well-known/openid-configuration 2>/dev/null | yq e '.token_introspection_endpoint'
  null

• Configure a single Product A with an OpenID Provider + realm basic and deployment type as APIcast self-managed
• Create 3scale application App01 for product A. That will generate Client ID and Client Secret.
• Create mapping rule for Product A GET /foo
• Configure a Token Introspection policy with auth_type set to use_3scale_oidc_issuer_endpoint

  {
  "name": "apicast.policy.token_introspection",
  "configuration": {
    "auth_type": "use_3scale_oidc_issuer_endpoint"
  }
  },  

• Start dev environment

  make development
  make dependencies

• Run apicast locally

  THREESCALE_DEPLOYMENT_ENV=staging APICAST_LOG_LEVEL=debug APICAST_WORKER=1 APICAST_CONFIGURATION_LOADER=lazy APICAST_CONFIGURATION_CACHE=0 THREESCALE_PORTAL_ENDPOINT=https://token@3scale-admin.example.com ./bin/apicast

• Generate token from a realm basic using client credentials from the application App01

  
  curl -v -k -H "Content-Type: application/x-www-form-urlencoded" \
      -d 'grant_type=password' \
      -d 'client_id=${CLIENT_ID_FROM_3SCALE_APPLICATION}' \
      -d 'client_secret=${CLIENT_SECRET_FROM_3SCALE_APPLICATION}' \
      -d 'username=${USER_CREATED_IN_KEYCLOAK}' \
      -d 'password=***' "https://keycloak.example.com/auth/realms/basic/protocol/openid-connect/token"

capture access token

ACCESS_TOKEN=eyJhb...

* Run query with the valid jwt

capture apicast IP

APICAST_IP=$(docker inspect apicast_build_0-development-1 | yq e -P '.[0].NetworkSettings.Networks.apicast_build_0_default.IPAddress' -)

curl -i -k -H "Host: example.com:443" -H "Accept: application/json" -H "Authorization: Bearer ${ACCESS_TOKEN}" "http://${APICAST_IP}:8080/foo"

The response should be HTTP/1.1 200 OK 

HTTP/1.1 200 OK Server: openresty Date: Fri, 19 Jan 2024 23:36:32 GMT Content-Type: application/json Content-Length: 2008 Connection: keep-alive x-3scale-echo-api: echo-api/1.0.3 vary: Origin x-content-type-options: nosniff x-envoy-upstream-service-time: 0

* Revoke token. 

Go to Red Hat Single Sign-On admin application, and revoke the session (token) from the user menu.  It's `Log out` in RH SSO site. Try to be fast so the token does not expire.

Run the same request, it should get `403 Forbidden`.

curl -v -k -H "Host: example.com:443" -H "Accept: application/json" -H "Authorization: Bearer ${ACCESS_TOKEN}" "http://${APICAST_IP}:8080/foo"

HTTP/1.1 403 Forbidden Server: openresty Date: Fri, 19 Jan 2024 23:35:10 GMT Content-Type: text/plain; charset=us-ascii Transfer-Encoding: chunked Connection: keep-alive

Authentication failed

> APIcast logs should show something like "token introspection for access token ***** : token not active

> If the token has expired, the request is rejected at the `rewrite` phase, while the token introspection policy is executed at the `access` phase (which is after the `rewrite` phase).

[tkan145]

LGTM!