"Reverify credentials" doesn't detect access problem

[yvolk]

On the Account settings screen AndStatus has "Reverify Credentials" button that is meant to check if stored credentials (access token for OAuth) are still valid. This works for Twitter (?), GnuSocial and Mastodon APIs that have dedicated protected "verify_credentials" endpoints, Pump.io does have "whoami" endpoint also. For ActivityPub AndStatus uses "me" URL as defined in IndieAuth https://indieauth.spec.indieweb.org/#access-token-verification-response But the problem is that the endpoint is not protected, and it can be accessed even without authorization. (@tsileo noticed this in https://github.com/andstatus/andstatus/issues/561#issuecomment-1356817535)

This means that "me" URL cannot be used for access verification. In terms of OAuth this could be "Token Introspection" as defined in https://www.rfc-editor.org/rfc/rfc7662 Unfortunately, no concrete URL of the endpoint is defined in the spec.

[tsileo]

Maybe the OAuth 2.0 Authorization Server Metadata (https://www.rfc-editor.org/rfc/rfc8414.html) can be used here too? introspection_endpoint is defined there.

I can add it in microblog.pub if you think that's useful?

Thanks!

[yvolk]

Yes, I think this will be the most "standard" way :-) "introspection_endpoint" is enough.

[tsileo]

I just added it and redeployed your test instance.

It is advertised in the OAuth metadata and requires both:

• the bearer token
• the access token in the token form parameter

Here is an example of a successful response:

{                                                                                                             
    "active": true,                                                                                           
    "client_id": "https://micropublish.net/",                                                                 
    "exp": 1675280767,                                                                                        
    "scope": "create update delete undelete"                                                                  
}                                                                                                             

Let me know if that works, thank you!

[yvolk]

@tsileo I'm trying this and getting "401 Unauthorized" although I'm posting the same way as for access token request, i.e. with "Client Authentication".

        val request = OAuthRequest(api.accessTokenVerb, introspectionEndpoint)
        api.clientAuthentication.addClientAuthentication(request, apiKey, apiSecret)
        request.addParameter("token", accessToken);
        request.addParameter("token_type_hint", "access_token")

See also https://github.com/scribejava/scribejava/issues/898#issuecomment-720194204

[tsileo]

Good catch, sorry about that. I just pushed and redeployed a fix. Thanks!

[yvolk]

It works, thank you!