Include introspection endpoint in OAuth2 metadata

Author: cicnavi

src/Controllers/OAuth2/OAuth2ServerConfigurationController.php

@@ -4,23 +4,47 @@
 
 namespace SimpleSAML\Module\oidc\Controllers\OAuth2;
 
+use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Services\OpMetadataService;
 use SimpleSAML\Module\oidc\Utils\Routes;
+use SimpleSAML\OpenID\Codebooks\AccessTokenTypesEnum;
+use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
+use SimpleSAML\OpenID\Codebooks\ClientAuthenticationMethodsEnum;
 use Symfony\Component\HttpFoundation\JsonResponse;
 
 class OAuth2ServerConfigurationController
 {
     public function __construct(
         protected readonly OpMetadataService $opMetadataService,
         protected readonly Routes $routes,
+        protected readonly ModuleConfig $moduleConfig,
     ) {
     }
 
     public function __invoke(): JsonResponse
     {
         // We'll reuse OIDC configuration.
+        $configuration = $this->opMetadataService->getMetadata();
+
+        if (
+            $this->moduleConfig->getApiEnabled() &&
+            $this->moduleConfig->getApiOAuth2TokenIntrospectionEndpointEnabled()
+        ) {
+            $configuration[ClaimsEnum::IntrospectionEndpoint->value] = $this->routes->urlApiOAuth2TokenIntrospection();
+            $configuration[ClaimsEnum::IntrospectionEndpointAuthMethodsSupported->value] = [
+                ClientAuthenticationMethodsEnum::ClientSecretBasic->value,
+                ClientAuthenticationMethodsEnum::ClientSecretPost->value,
+                ClientAuthenticationMethodsEnum::PrivateKeyJwt->value,
+                AccessTokenTypesEnum::Bearer->value,
+            ];
+            $configuration[ClaimsEnum::IntrospectionEndpointAuthSigningAlgValuesSupported->value] = $this->moduleConfig
+                ->getSupportedAlgorithms()
+                ->getSignatureAlgorithmBag()
+                ->getAllNamesUnique();
+        }
+
         return $this->routes->newJsonResponse(
-            $this->opMetadataService->getMetadata(),
+            $configuration,
         );
 
         // TODO mivanci Add ability for claim 'signed_metadata' when moving to simplesamlphp/openid, as per

src/Utils/Routes.php

@@ -244,4 +244,9 @@ public function urlApiVciCredentialOffer(array $parameters = []): string
     {
         return $this->getModuleUrl(RoutesEnum::ApiVciCredentialOffer->value, $parameters);
     }
+
+    public function urlApiOAuth2TokenIntrospection(array $parameters = []): string
+    {
+        return $this->getModuleUrl(RoutesEnum::ApiOAuth2TokenIntrospection->value, $parameters);
+    }
 }