Merge pull request #5514 from nickgros/PLFM-9471

PLFM-9471 - RFC-7662 introspection service

Author: nickgros

client/synapseJavaClient/src/main/java/org/sagebionetworks/client/SynapseClient.java

@@ -253,6 +253,8 @@
 import org.sagebionetworks.repo.model.oauth.OAuthProvider;
 import org.sagebionetworks.repo.model.oauth.OAuthRefreshTokenInformation;
 import org.sagebionetworks.repo.model.oauth.OAuthRefreshTokenInformationList;
+import org.sagebionetworks.repo.model.oauth.OAuthTokenIntrospectionRequest;
+import org.sagebionetworks.repo.model.oauth.OAuthTokenIntrospectionResponse;
 import org.sagebionetworks.repo.model.oauth.OAuthTokenRevocationRequest;
 import org.sagebionetworks.repo.model.oauth.OAuthUrlRequest;
 import org.sagebionetworks.repo.model.oauth.OAuthUrlResponse;
@@ -2306,6 +2308,12 @@ OIDCTokenResponse getTokenResponse(
 	 */
 	void revokeTokenURLEncoded(String token) throws SynapseException, UnsupportedEncodingException;
 
+	/**
+	 * Introspects an access token, returning whether it is active and its claims.
+	 * Authenticated by the calling Synapse user (not an OAuth client).
+	 */
+	OAuthTokenIntrospectionResponse introspectToken(OAuthTokenIntrospectionRequest request) throws SynapseException;
+
 	/**
 	 * Updates the metadata for a particular refresh token.
 	 * @param metadata

client/synapseJavaClient/src/main/java/org/sagebionetworks/client/SynapseClientImpl.java

@@ -293,6 +293,8 @@
 import org.sagebionetworks.repo.model.oauth.OAuthProvider;
 import org.sagebionetworks.repo.model.oauth.OAuthRefreshTokenInformation;
 import org.sagebionetworks.repo.model.oauth.OAuthRefreshTokenInformationList;
+import org.sagebionetworks.repo.model.oauth.OAuthTokenIntrospectionRequest;
+import org.sagebionetworks.repo.model.oauth.OAuthTokenIntrospectionResponse;
 import org.sagebionetworks.repo.model.oauth.OAuthTokenRevocationRequest;
 import org.sagebionetworks.repo.model.oauth.OAuthUrlRequest;
 import org.sagebionetworks.repo.model.oauth.OAuthUrlResponse;
@@ -626,6 +628,7 @@ public class SynapseClientImpl extends BaseClientImpl implements SynapseClient {
 	public static final String AUTH_OAUTH_2_AUDIT_CLIENTS = AUTH_OAUTH_2_AUDIT + "/grantedClients";
 	public static final String METADATA = "/metadata";
 	public static final String REVOKE = "/revoke";
+	public static final String AUTH_OAUTH_2_INTROSPECT = AUTH_OAUTH_2 + "/introspect";
 	public static final String TOKENS = "/tokens";
 
 	public static final String AUTH_OAUTH_2_GRANT_TYPE_PARAM = "grant_type";
@@ -4822,6 +4825,12 @@ public void revokeTokenURLEncoded(String token) throws SynapseException, Unsuppo
 		ClientUtils.checkStatusCodeAndThrowException(response);
 	}
 
+	@Override
+	public OAuthTokenIntrospectionResponse introspectToken(OAuthTokenIntrospectionRequest request) throws SynapseException {
+		ValidateArgument.required(request, "request");
+		return postJSONEntity(getAuthEndpoint(), AUTH_OAUTH_2_INTROSPECT, request, OAuthTokenIntrospectionResponse.class);
+	}
+
 	@Override
 	public OAuthRefreshTokenInformation updateRefreshTokenMetadata(OAuthRefreshTokenInformation metadata) throws SynapseException {
 		ValidateArgument.required(metadata, "metadata");

integration-test/src/test/java/org/sagebionetworks/IT960TermsOfUse.java

@@ -5,6 +5,7 @@
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
@@ -32,6 +33,8 @@
 import org.sagebionetworks.repo.model.auth.TermsOfServiceState;
 import org.sagebionetworks.repo.model.auth.TermsOfServiceStatus;
 import org.sagebionetworks.repo.model.file.ExternalFileHandle;
+import org.sagebionetworks.repo.model.oauth.OAuthTokenIntrospectionRequest;
+import org.sagebionetworks.repo.model.oauth.OAuthTokenIntrospectionResponse;
 import org.sagebionetworks.warehouse.WarehouseTestHelper;
 
 @ExtendWith(ITTestExtension.class)
@@ -171,6 +174,22 @@ public void testGetUserTermsOfServiceStatus() throws SynapseException {
 		assertNotNull(status.getLastAgreementVersion());
 	}
 
+	@Test
+	public void testIntrospectTokenWithoutAcceptingTermsOfUse() throws SynapseException {
+		// A user who has not accepted the ToS should still be able to introspect a token
+		String token = rejectTOUsynapse.getAccessToken();
+
+		OAuthTokenIntrospectionRequest request = new OAuthTokenIntrospectionRequest();
+		request.setToken(token);
+
+		OAuthTokenIntrospectionResponse response = rejectTOUsynapse.introspectToken(request);
+
+		assertTrue(response.getActive());
+		assertNotNull(response.getSub());
+		assertNotNull(response.getExp());
+		assertNotNull(response.getAud());
+	}
+
 	@Test
 	public void testUpdateTermsOfServiceRequirments(SynapseAdminClient adminSynapse) throws SynapseException {
 		TermsOfServiceInfo info = synapse.getTermsOfServiceInfo();

integration-test/src/test/java/org/sagebionetworks/ITOpenIDConnectTest.java

@@ -7,6 +7,7 @@
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.sagebionetworks.client.ClientUtils.createBasicAuthorizationHeader;
 
 import java.util.Collections;
 import java.util.HashMap;
@@ -44,6 +45,7 @@
 import org.sagebionetworks.repo.model.oauth.OAuthRefreshTokenInformationList;
 import org.sagebionetworks.repo.model.oauth.OAuthResponseType;
 import org.sagebionetworks.repo.model.oauth.OAuthScope;
+import org.sagebionetworks.repo.model.oauth.OAuthTokenIntrospectionResponse;
 import org.sagebionetworks.repo.model.oauth.OAuthTokenRevocationRequest;
 import org.sagebionetworks.repo.model.oauth.OIDCAuthorizationRequest;
 import org.sagebionetworks.repo.model.oauth.OIDCAuthorizationRequestDescription;
@@ -54,6 +56,7 @@
 import org.sagebionetworks.repo.model.oauth.OIDCTokenResponse;
 import org.sagebionetworks.repo.model.oauth.OIDConnectConfiguration;
 import org.sagebionetworks.repo.model.oauth.TokenTypeHint;
+import org.sagebionetworks.schema.adapter.org.json.JSONObjectAdapterImpl;
 import org.sagebionetworks.simpleHttpClient.SimpleHttpClient;
 import org.sagebionetworks.simpleHttpClient.SimpleHttpClientImpl;
 import org.sagebionetworks.simpleHttpClient.SimpleHttpRequest;
@@ -353,7 +356,22 @@ public void testRoundTrip() throws Exception {
 		assertEquals(email, idClaims.get("email", String.class));
 		assertEquals(Collections.EMPTY_LIST, idClaims.get("team", List.class));
 		assertEquals(nonce, idClaims.get("nonce"));
-		
+
+		// introspect the ID token
+		{
+			SimpleHttpRequest request = new SimpleHttpRequest();
+			request.setUri(config.getAuthenticationServicePublicEndpoint()+"/oauth2/introspect");
+			Map<String, String> requestHeaders = new HashMap<>();
+			requestHeaders.put("Content-Type", "application/x-www-form-urlencoded");
+			request.setHeaders(requestHeaders);
+			String requestBody = "token="+tokenResponse.getId_token();
+			SimpleHttpResponse response = simpleClient.post(request, requestBody);
+			assertEquals(HttpStatus.SC_OK, response.getStatusCode());
+			assertNotNull(response.getContent());
+			OAuthTokenIntrospectionResponse introspectionResponse = new OAuthTokenIntrospectionResponse(new JSONObjectAdapterImpl(response.getContent()));
+			assertTrue(introspectionResponse.getActive());
+		}
+
 		// the access token encodes claims we can refresh
 		Jwt<JwsHeader, Claims> parsedAccessToken = JSONWebTokenHelper.parseJWT(tokenResponse.getAccess_token(), jsonWebKeySet);
 		Claims accessClaims = parsedAccessToken.getBody();
@@ -367,6 +385,21 @@ public void testRoundTrip() throws Exception {
 		assertTrue(userInfoClaims.containsKey("is_certified"));
 		assertTrue(userInfoClaims.containsKey("team"));
 
+		// introspect the access token
+		{
+			SimpleHttpRequest request = new SimpleHttpRequest();
+			request.setUri(config.getAuthenticationServicePublicEndpoint()+"/oauth2/introspect");
+			Map<String, String> requestHeaders = new HashMap<>();
+			requestHeaders.put("Content-Type", "application/x-www-form-urlencoded");
+			request.setHeaders(requestHeaders);
+			String requestBody = "token="+tokenResponse.getAccess_token();
+			SimpleHttpResponse response = simpleClient.post(request, requestBody);
+			assertEquals(HttpStatus.SC_OK, response.getStatusCode());
+			assertNotNull(response.getContent());
+			OAuthTokenIntrospectionResponse introspectionResponse = new OAuthTokenIntrospectionResponse(new JSONObjectAdapterImpl(response.getContent()));
+			assertTrue(introspectionResponse.getActive());
+		}
+
 		// Note, we use a bearer token to authorize the client 
 		try {
 			synapseClientForOAuthClient.setBearerAuthorizationToken(tokenResponse.getAccess_token());

lib/lib-auto-generated/src/main/resources/schema/org/sagebionetworks/repo/model/oauth/OAuthTokenIntrospectionRequest.json

@@ -0,0 +1,13 @@
+{
+    "description": "Request to introspect an OAuth 2.0 access token, loosely based on <a href=\"https://tools.ietf.org/html/rfc7662\">RFC 7662</a>.",
+ 	"properties": {
+		"token": {
+			"type": "string",
+			"description": "The access token to introspect"
+		},
+		"max_age": {
+			"type": "integer",
+			"description": "Optional maximum authentication age in seconds. If the user's authentication occurred more than this many seconds ago, the token is considered inactive."
+		}
+	}
+}

lib/lib-auto-generated/src/main/resources/schema/org/sagebionetworks/repo/model/oauth/OAuthTokenIntrospectionResponse.json

@@ -0,0 +1,44 @@
+{
+    "description": "Response from token introspection conforming to <a href=\"https://tools.ietf.org/html/rfc7662\">RFC 7662</a>.",
+ 	"properties": {
+		"active": {
+			"type": "boolean",
+			"description": "Whether the token is active"
+		},
+		"scope": {
+			"type": "string",
+			"description": "A JSON string containing a space-separated list of scopes associated with this token, in the format described in Section 3.3 of OAuth 2.0"
+		},
+		"aud": {
+			"type": "string",
+			"description": "The audience (realm or OAuth Client) the token was issued for"
+		},
+		"sub": {
+			"type": "string",
+			"description": "Subject identifier. For a first-party access token, this is the Synapse user ID. For tokens issued to OAuth Clients, this is a PPID (Pairwise Pseudonymous Identifier)"
+		},
+		"token_type": {
+			"$ref": "org.sagebionetworks.repo.model.auth.TokenType"
+		},
+		"exp": {
+			"type": "integer",
+			"description": "Expiration time (seconds since epoch)"
+		},
+		"iat": {
+			"type": "integer",
+			"description": "Issued at time (seconds since epoch)"
+		},
+		"auth_time": {
+			"type": "integer",
+			"description": "Time of user authentication (seconds since epoch)"
+		},
+		"iss": {
+			"type": "string",
+			"description": "Token issuer"
+		},
+		"jti": {
+			"type": "string",
+			"description": "Unique token identifier"
+		}
+	}
+}

lib/lib-auto-generated/src/main/resources/schema/org/sagebionetworks/repo/model/oauth/OIDConnectConfiguration.json

@@ -21,6 +21,10 @@
 			"type": "string",
 			"description": "URL of the Synapse UserInfo Endpoint"
 		},
+		"introspection_endpoint": {
+			"type": "string",
+			"description": "URL of the Synapse OAuth 2.0 Token Introspection Endpoint"
+		},
 		"jwks_uri": {
 			"type": "string",
 			"description": "URL of the Synapse JSON Web Key Set [JWK] document."

services/repository-managers/src/main/java/org/sagebionetworks/repo/manager/oauth/OpenIDConnectManager.java

@@ -4,6 +4,7 @@
 import org.sagebionetworks.repo.model.UnauthorizedException;
 import org.sagebionetworks.repo.model.UserInfo;
 import org.sagebionetworks.repo.model.oauth.OAuthAuthorizationResponse;
+import org.sagebionetworks.repo.model.oauth.OAuthTokenIntrospectionResponse;
 import org.sagebionetworks.repo.model.oauth.OAuthTokenRevocationRequest;
 import org.sagebionetworks.repo.model.oauth.OIDCAuthorizationRequest;
 import org.sagebionetworks.repo.model.oauth.OIDCAuthorizationRequestDescription;
@@ -100,4 +101,13 @@ public static String getScopeHash(OIDCAuthorizationRequest authorizationRequest)
 	 */
 	void revokeUserAccess(Long userId);
 
+	/**
+	 * Introspect an OAuth 2.0 access token, returning whether the token is active and its claims.
+	 *
+	 * @param token the access token to introspect
+	 * @param maxAge optional maximum authentication age in seconds
+	 * @return the introspection response
+	 */
+	OAuthTokenIntrospectionResponse introspectToken(String token, Long maxAge);
+
 }

services/repository-managers/src/main/java/org/sagebionetworks/repo/manager/oauth/OpenIDConnectManagerImpl.java

@@ -14,6 +14,7 @@
 import java.util.Set;
 import java.util.TreeSet;
 import java.util.UUID;
+import java.util.stream.Collectors;
 
 import org.apache.commons.lang3.StringUtils;
 import org.sagebionetworks.manager.util.OAuthPermissionUtils;
@@ -22,7 +23,6 @@
 import org.sagebionetworks.repo.manager.authentication.PersonalAccessTokenManager;
 import org.sagebionetworks.repo.manager.oauth.claimprovider.OIDCClaimProvider;
 import org.sagebionetworks.repo.model.AuthorizationConstants;
-import org.sagebionetworks.repo.model.AuthorizationUtils;
 import org.sagebionetworks.repo.model.UserInfo;
 import org.sagebionetworks.repo.model.auth.AuthenticationDAO;
 import org.sagebionetworks.repo.model.auth.OAuthClientDao;
@@ -33,6 +33,7 @@
 import org.sagebionetworks.repo.model.oauth.OAuthRefreshTokenInformation;
 import org.sagebionetworks.repo.model.oauth.OAuthResponseType;
 import org.sagebionetworks.repo.model.oauth.OAuthScope;
+import org.sagebionetworks.repo.model.oauth.OAuthTokenIntrospectionResponse;
 import org.sagebionetworks.repo.model.oauth.OAuthTokenRevocationRequest;
 import org.sagebionetworks.repo.model.oauth.OIDCAuthorizationRequest;
 import org.sagebionetworks.repo.model.oauth.OIDCAuthorizationRequestDescription;
@@ -692,4 +693,101 @@ public void revokeUserAccess(Long userId) {
 		oauthDao.deleteAllAuthorizationConsents(userId);
 	}
 
+	private static OAuthTokenIntrospectionResponse inactiveIntrospectionResponse() {
+		return new OAuthTokenIntrospectionResponse().setActive(false);
+	}
+
+	@Override
+	public OAuthTokenIntrospectionResponse introspectToken(String token, Long maxAge) {
+		ValidateArgument.required(token, "token");
+
+		// Parse the JWT. If parsing fails (expired, invalid signature, etc.), the token is inactive.
+		Jwt<JwsHeader, Claims> jwt;
+		try {
+			jwt = oidcTokenManager.parseJWT(token);
+		} catch (Exception e) {
+			return inactiveIntrospectionResponse();
+		}
+
+		Claims claims = jwt.getBody();
+
+		// Check token type — only OIDC_ACCESS_TOKEN and PERSONAL_ACCESS_TOKEN are valid
+		TokenType tokenType;
+		try {
+			tokenType = TokenType.valueOf(claims.get(OIDCClaimName.token_type.name(), String.class));
+		} catch (Exception e) {
+			return inactiveIntrospectionResponse();
+		}
+
+		switch (tokenType) {
+			case OIDC_ACCESS_TOKEN:
+				String tokenId = claims.getId();
+				if (!oidcTokenManager.doesOIDCAccessTokenExist(tokenId)) {
+					return inactiveIntrospectionResponse();
+				}
+				String refreshTokenId = claims.get(OIDCClaimName.refresh_token_id.name(), String.class);
+				if (refreshTokenId != null && !oauthRefreshTokenManager.isRefreshTokenActive(refreshTokenId)) {
+					return inactiveIntrospectionResponse();
+				}
+				break;
+			case PERSONAL_ACCESS_TOKEN:
+				String personalAccessTokenId = claims.getId();
+				if (!personalAccessTokenManager.isTokenActive(personalAccessTokenId)) {
+					return inactiveIntrospectionResponse();
+				}
+				break;
+			case OIDC_ID_TOKEN:
+				// ID tokens cannot be "revoked", so there is nothing to check.
+				// The parse step above would have thrown an exception if it expired
+				break;
+			default:
+				return inactiveIntrospectionResponse();
+		}
+
+		// Check max_age if provided
+		// auth_time is stored as seconds since epoch in the JWT
+		Number authTimeValue = claims.get(OIDCClaimName.auth_time.name(), Number.class);
+		Long authTimeSeconds = authTimeValue != null ? authTimeValue.longValue() : null;
+
+		if (maxAge != null && authTimeSeconds != null) {
+			long nowSeconds = clock.currentTimeMillis() / 1000L;
+			if (nowSeconds - authTimeSeconds > maxAge) {
+				return inactiveIntrospectionResponse();
+			}
+		} else if (maxAge != null && authTimeSeconds == null) {
+			// max_age was requested but auth_time is not available in the token
+			// This should never happen, but fail the request since we cannot guarantee the token is still valid
+			return inactiveIntrospectionResponse();
+		}
+
+		// Build the active response with claims from the JWT
+		OAuthTokenIntrospectionResponse response = new OAuthTokenIntrospectionResponse();
+		response.setActive(true);
+		response.setSub(claims.getSubject());
+		response.setAud(claims.getAudience());
+		response.setIss(claims.getIssuer());
+		response.setJti(claims.getId());
+		response.setToken_type(tokenType);
+
+		if (claims.getExpiration() != null) {
+			response.setExp(claims.getExpiration().getTime() / 1000L);
+		}
+		if (claims.getIssuedAt() != null) {
+			response.setIat(claims.getIssuedAt().getTime() / 1000L);
+		}
+		if (authTimeSeconds != null) {
+			response.setAuth_time(authTimeSeconds);
+		}
+
+		// space-delimited string containing all scopes
+		response.setScope(ClaimsJsonUtil.getScopeFromClaims(claims)
+				.stream()
+				.map(OAuthScope::name)
+				.collect(Collectors.joining(" "))
+		);
+
+		return response;
+	}
+
+
 }

services/repository-managers/src/main/java/org/sagebionetworks/repo/service/auth/OpenIDConnectService.java

@@ -11,6 +11,8 @@
 import org.sagebionetworks.repo.model.oauth.OAuthGrantType;
 import org.sagebionetworks.repo.model.oauth.OAuthRefreshTokenInformation;
 import org.sagebionetworks.repo.model.oauth.OAuthRefreshTokenInformationList;
+import org.sagebionetworks.repo.model.oauth.OAuthTokenIntrospectionRequest;
+import org.sagebionetworks.repo.model.oauth.OAuthTokenIntrospectionResponse;
 import org.sagebionetworks.repo.model.oauth.OAuthTokenRevocationRequest;
 import org.sagebionetworks.repo.model.oauth.OIDCAuthorizationRequest;
 import org.sagebionetworks.repo.model.oauth.OIDCAuthorizationRequestDescription;
@@ -173,4 +175,6 @@ public OIDCTokenResponse getTokenResponse(String verifiedClientId, OAuthGrantTyp
 	OAuthRefreshTokenInformation getRefreshTokenMetadataAsUser(Long userId, String tokenId);
 
 	OAuthRefreshTokenInformation getRefreshTokenMetadataAsClient(String verifiedClientId, String tokenId);
+
+	OAuthTokenIntrospectionResponse introspectToken(Long userId, OAuthTokenIntrospectionRequest request);
 }