Add introspection implementation #925
Conversation
according to RFC 7662 the introspection mechanism is implemented
…flow Co-authored-by: Rob Taylor <robbytaylor@users.noreply.github.com>
…feature/add-introspection-implementation-code-review # Conflicts: # src/Grant/AuthCodeGrant.php
|
Thanks for this @StevePorter92 and apologies for not picking this up yet. I plan on setting some time aside this weekend to pick up some of the pending PRs. Thanks for your patience and thank you for your contribution |
|
Hey @Sephster, don't suppose you have had a chance to cast your eye of this? |
|
Sorry @StevePorter92 I have not yet. I have been working on numerous things for the library over the past week or so. I'm focussing on getting the PKCE changes into version 8 at the moment as there was at one time 3 separate pull requests trying to address some implemenation concerns around that. Once I've finished this (which is now fairly close to be honest), I will look at getting this reviewed. Thanks for your patience |
|
Hey @Sephster, no worries at all! 😄 |
|
Hi @StevePorter92. Thanks for your patience here. A couple of things spring to mind at the moment which I think are missing from this at the moment:
Thanks for your efforts to date. I hope these comments are useful. Cheers! |
|
Hey @Sephster. Sorry for the delay. Little snowed under recently yes. I've got a few updates I'll check-in hopefully this evening to address your comments. Thanks for the support! |
The JWT logic has been moved from the introspection response and is now in the child class BearerTokenIntrospectionResponse
|
Added some changes to address your comments @Sephster. The Introspector now validates through a IntrospectionValidator interface. I've moved all of the token logic to a BearerTokenValidator class. This should give implementers the freedom to validate introspection requests for other formats. I'm a little unsure as to the best way to get the resource server to use our new endpoint so could do with being pointed in the right direction. My current line of thought is to create a Also a little unsure on the best way to protect this new endpoint. What are your thoughts on this? Thanks again. |
|
So, I'm currently sort of in the need of introspection because I want to use Express Gateways OAuth 2.0 Introspection functionality with my Lumen 5.8 + Passport based Microservice - any eta on the implementation of Introspection? |
|
Sorry for the pings but, anything @StevePorter92 or @Sephster ? |
|
It is awaiting review from myself. I will get to it eventually but don't have a firm timeline for this at present sorry. |
|
Ah okay, currently got it half working by using a separate package - only running into one problem which is that the |
|
So when can we expect this to be implemented @Sephster - cause currently it's a big stopper when you want to use the Microservices Architecture with Laravel or Lumen Or do you have an alternative/workaround? |
1 similar comment
|
So when can we expect this to be implemented @Sephster - cause currently it's a big stopper when you want to use the Microservices Architecture with Laravel or Lumen Or do you have an alternative/workaround? |
|
As @Sephster said, there isn't currently a timeline for this feature @dvdbot. Introspection can be achieved with laravel through passport and https://github.com/designmynight/laravel-oauth-introspect-middleware. Currently what's outstanding is finding a sensible way for the resource server to use introspection. We also need to consider authentication. @Sephster, when you come to review this, let me know if there's anything I can pick up. |
|
Will do, thanks @StevePorter92. I should have some free time this evening. Unfortunately @dvdbot, this isn't just a case of reviewing the code. I also need to familiarise myself with the RFC to ensure it is conforming to spec which is why PRs such as this take longer than a normal bug fix. I won't be drawn on timescales as I find they are nearly always optimistic. Hope you understand and sorry I can't give a more definitive answer than that |
|
@StevePorter92 and @Sephster - I've got it working for the moment as follows: $this->publicKey = new CryptKey('file://'.Passport::keyPath('oauth-'. 'public' .'.key'), null, null);Above I stole from somewhere inside the Passport package 😂 Now I can at least introspect |
| { | ||
| if ($this->introspectionValidator instanceof IntrospectionValidatorInterface === false) { | ||
| $this->introspectionValidator = new BearerTokenValidator($this->accessTokenRepository); | ||
| } |
There was a problem hiding this comment.
The BearerTokenValidator has no validation-key set, unless you also call here
$this->introspectionValidator->setPrivateKey($this->privateKey);
But that also requires that the public-key is also added to the private-key file, as Lcobucci\JWT\Signer\Rsa::doVerify($expected, $payload, Key $key) calls open_ssl_publickey($key->getContent())!
With that change I was able to verify/introspect access_keys generated by my server.
I'm currently implementing an OpenID Connect / OAuth2 server for EGroupware
|
I'm just wondering why you put the introspection logic in the authorization server? Shouldn't it be in the resource server? Then create a new validator |
|
Is this feature still being actively considered for development? |
|
Yes. Rough plan is to get Device Code in place and then this. January is super busy for me as I need to do tax returns etc but will be picking up speed on this soon. Cheers |
|
How is the progress? |
|
Sorry to comment, but any ETA? |
|
Sorry to comment. How is the progress? |
|
How can I help to make this happen? I think this feature would be very useful. |
|
I need this to create separate auth and resource servers in a project at work. Any updates? How can I help? |
|
I'm working on the 9.0 release right now so have added this to the milestone but I don't expect this to be out for at least a month, maybe more sorry |
Off the back of the pull request comments laid out here #869. I thought I would take the comments on board, as I am keen to start using the introspection features already started by @fetzi.