POC introspection endpoint RFC 7662

Author: jdeniau

Diff for: Controller/IntrospectionController.php

@@ -0,0 +1,128 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the FOSOAuthServerBundle package.
+ *
+ * (c) FriendsOfSymfony <http://friendsofsymfony.github.com/>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace FOS\OAuthServerBundle\Controller;
+
+use FOS\OAuthServerBundle\Model\AccessTokenInterface;
+use FOS\OAuthServerBundle\Model\RefreshTokenInterface;
+use FOS\OAuthServerBundle\Model\TokenInterface;
+use FOS\OAuthServerBundle\Model\TokenManagerInterface;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+
+class IntrospectionController
+{
+    /**
+     * @var TokenStorageInterface
+     */
+    private $tokenStorage;
+
+    /**
+     * @var TokenManagerInterface
+     */
+    private $accessTokenManager;
+
+    /**
+     * @var TokenManagerInterface
+     */
+    private $refreshTokenManager;
+
+    public function __construct(
+        TokenStorageInterface $tokenStorage,
+        TokenManagerInterface $accessTokenManager,
+        TokenManagerInterface $refreshTokenManager
+    ) {
+        $this->tokenStorage = $tokenStorage;
+        $this->accessTokenManager = $accessTokenManager;
+        $this->refreshTokenManager = $refreshTokenManager;
+    }
+
+    public function introspectAction(Request $request): JsonResponse
+    {
+        // $clientToken = $this->tokenStorage->getToken(); → use in security
+
+        // TODO security for this endpoint. Probably in the README documentation
+
+        $token = $this->getToken($request);
+
+        $isActive = $token && !$token->hasExpired();
+
+        if (!$isActive) {
+            return new JsonResponse([
+                'active' => false,
+            ]);
+        }
+
+        return new JsonResponse([
+            'active' => true,
+            'scope' => $token->getScope(),
+            'client_id' => $token->getClientId(),
+            'username' => $this->getUsername($token),
+            'token_type' => $this->getTokenType($token),
+            'exp' => $token->getExpiresAt(),
+        ]);
+    }
+
+    /**
+     * @return TokenInterface|null
+     */
+    private function getToken(Request $request)
+    {
+        $tokenTypeHint = $request->request->get('token_type_hint'); // TODO move in a form type ? can be `access_token`, `refresh_token` See https://tools.ietf.org/html/rfc7009#section-4.1.2
+        $tokenString = $request->request->get('token'); // TODO move in a form type ?
+
+        $tokenManagerList = [];
+        if (!$tokenTypeHint || 'access_token' === $tokenTypeHint) {
+            $tokenManagerList[] = $this->accessTokenManager;
+        }
+        if (!$tokenTypeHint || 'refresh_token' === $tokenTypeHint) {
+            $tokenManagerList[] = $this->refreshTokenManager;
+        }
+
+        foreach ($tokenManagerList as $tokenManager) {
+            $token = $tokenManager->findTokenByToken($tokenString);
+
+            if ($token) {
+                return $token;
+            }
+        }
+    }
+
+    /**
+     * @return string|null
+     */
+    private function getTokenType(TokenInterface $token)
+    {
+        if ($token instanceof AccessTokenInterface) {
+            return 'access_token';
+        } elseif ($token instanceof RefreshTokenInterface) {
+            return 'refresh_token';
+        }
+
+        return null;
+    }
+
+    /**
+     * @return string|null
+     */
+    private function getUsername(TokenInterface $token)
+    {
+        $user = $token->getUser();
+        if (!$user) {
+            return null;
+        }
+
+        return $user->getUserName();
+    }
+}

Diff for: DependencyInjection/FOSOAuthServerExtension.php

@@ -101,6 +101,8 @@ public function load(array $configs, ContainerBuilder $container)
             $authorizeFormDefinition = $container->getDefinition('fos_oauth_server.authorize.form');
             $authorizeFormDefinition->setFactory([new Reference('form.factory'), 'createNamed']);
         }
+
+        $this->loadIntrospection($loader);
     }
 
     /**
@@ -142,6 +144,11 @@ protected function remapParametersNamespaces(array $config, ContainerBuilder $co
         }
     }
 
+    protected function loadIntrospection(XmlFileLoader $loader)
+    {
+        $loader->load('introspection.xml');
+    }
+
     protected function loadAuthorize(array $config, ContainerBuilder $container, XmlFileLoader $loader)
     {
         $loader->load('authorize.xml');

Diff for: Resources/config/introspection.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+
+<container xmlns="http://symfony.com/schema/dic/services"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
+
+    <services>
+        <service id="fos_oauth_server.controller.introspection" class="FOS\OAuthServerBundle\Controller\IntrospectionController" public="true">
+            <argument type="service" id="security.token_storage" />
+            <argument type="service" id="fos_oauth_server.access_token_manager" />
+            <argument type="service" id="fos_oauth_server.refresh_token_manager" />
+        </service>
+    </services>
+
+</container>

Diff for: Resources/config/routing/introspection.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+
+<routes xmlns="http://symfony.com/schema/routing"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://symfony.com/schema/routing http://symfony.com/schema/routing/routing-1.0.xsd">
+
+    <route id="fos_oauth_server_introspection" path="/oauth/v2/introspect" methods="POST">
+        <default key="_controller">fos_oauth_server.controller.introspection:introspectAction</default>
+    </route>
+
+</routes>
+