Support refresh token introspection

Author: cicnavi

docker/ssp/config-override.php

@@ -14,4 +14,5 @@
         'language.i18n.backend' => 'gettext/gettext',
         'logging.level' => 7,
         'usenewui' => false,
+
     ] + $config;

docker/ssp/module_oidc.php

@@ -128,4 +128,16 @@
     ModuleConfig::OPTION_PROTOCOL_CACHE_ADAPTER_ARGUMENTS => [
         // Use defaults
     ],
+
+    ModuleConfig::OPTION_API_ENABLED => true,
+
+    ModuleConfig::OPTION_API_VCI_CREDENTIAL_OFFER_ENDPOINT_ENABLED => true,
+
+    ModuleConfig::OPTION_API_OAUTH2_TOKEN_INTROSPECTION_ENDPOINT_ENABLED => true,
+
+    ModuleConfig::OPTION_API_TOKENS => [
+        'strong-random-token-string' => [
+            \SimpleSAML\Module\oidc\Codebooks\ApiScopesEnum::All, // Gives access to the whole API.
+        ],
+    ],
 ];

routing/services/services.yml

@@ -96,8 +96,8 @@ services:
   SimpleSAML\Module\oidc\Utils\RequestParamsResolver: ~
   SimpleSAML\Module\oidc\Utils\ClassInstanceBuilder: ~
   SimpleSAML\Module\oidc\Utils\JwksResolver: ~
+  SimpleSAML\Module\oidc\Utils\AuthenticatedOAuth2ClientResolver: ~
   SimpleSAML\Module\oidc\Utils\ClaimTranslatorExtractor:
-  SimpleSAML\Module\oidc\Utils\AuthenticatedOAuth2ClientResolver:
     factory: ['@SimpleSAML\Module\oidc\Factories\ClaimTranslatorExtractorFactory', 'build']
   SimpleSAML\Module\oidc\Utils\FederationCache:
     factory: ['@SimpleSAML\Module\oidc\Factories\CacheFactory', 'forFederation'] # Can return null

src/Bridges/OAuth2Bridge.php

@@ -0,0 +1,66 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Bridges;
+
+use Defuse\Crypto\Crypto;
+use Defuse\Crypto\Key;
+use SimpleSAML\Module\oidc\Exceptions\OidcException;
+use SimpleSAML\Module\oidc\ModuleConfig;
+
+class OAuth2Bridge
+{
+    public function __construct(
+        protected readonly ModuleConfig $moduleConfig,
+    ) {
+    }
+
+    /**
+     * Bridge `encrypt` function, which can be used instead of
+     * \League\OAuth2\Server\CryptTrait::encrypt()
+     *
+     * @param string $unencryptedData
+     * @param Key|string $encryptionKey
+     * @return string
+     * @throws OidcException
+     */
+    public function encrypt(
+        string $unencryptedData,
+        null|Key|string $encryptionKey = null,
+    ): string {
+        $encryptionKey ??= $this->moduleConfig->getEncryptionKey();
+
+        try {
+            return $encryptionKey instanceof Key ?
+            Crypto::encrypt($unencryptedData, $encryptionKey) :
+            Crypto::encryptWithPassword($unencryptedData, $encryptionKey);
+        } catch (\Exception $e) {
+            throw new OidcException('Error enrypting data: ' . $e->getMessage(), (int)$e->getCode(), $e);
+        }
+    }
+
+    /**
+     * Bridge `decrypt` function, which can be used instead of
+     * \League\OAuth2\Server\CryptTrait::decrypt()
+     *
+     * @param string $encryptedData
+     * @param Key|string $encryptionKey
+     * @return string
+     * @throws OidcException
+     */
+    public function decrypt(
+        string $encryptedData,
+        null|Key|string $encryptionKey = null,
+    ): string {
+        $encryptionKey ??= $this->moduleConfig->getEncryptionKey();
+
+        try {
+            return $encryptionKey instanceof Key ?
+            Crypto::decrypt($encryptedData, $encryptionKey) :
+            Crypto::decryptWithPassword($encryptedData, $encryptionKey);
+        } catch (\Exception $e) {
+            throw new OidcException('Error decrypting data: ' . $e->getMessage(), (int)$e->getCode(), $e);
+        }
+    }
+}

src/Controllers/OAuth2/TokenIntrospectionController.php

@@ -4,9 +4,11 @@
 
 namespace SimpleSAML\Module\oidc\Controllers\OAuth2;
 
+use SimpleSAML\Module\oidc\Bridges\OAuth2Bridge;
 use SimpleSAML\Module\oidc\Codebooks\ApiScopesEnum;
 use SimpleSAML\Module\oidc\Exceptions\AuthorizationException;
 use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\Module\oidc\Repositories\RefreshTokenRepository;
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
 use SimpleSAML\Module\oidc\Server\Validators\BearerTokenValidator;
 use SimpleSAML\Module\oidc\Services\Api\Authorization;
@@ -34,6 +36,8 @@ public function __construct(
         protected readonly Authorization $apiAuthorization,
         protected readonly RequestParamsResolver $requestParamsResolver,
         protected readonly BearerTokenValidator $bearerTokenValidator,
+        protected readonly OAuth2Bridge $oAuth2Bridge,
+        protected readonly RefreshTokenRepository $refreshTokenRepository,
     ) {
         if (!$this->moduleConfig->getApiEnabled()) {
             $this->loggerService->warning('API capabilities not enabled.');
@@ -48,7 +52,6 @@ public function __construct(
 
     public function __invoke(Request $request): Response
     {
-        // TODO mivanci Add support for Refresh Tokens.
         // TODO mivanci Add endpoint to OAuth2 discovery document.
 
         try {
@@ -80,46 +83,140 @@ public function __invoke(Request $request): Response
             );
         }
 
-        // For now, we will only support Access Tokens.
-//        $tokenTypeHintParam = $this->requestParamsResolver->getFromRequestBasedOnAllowedMethods(
-//            ParamsEnum::TokenTypeHint->value,
-//            $request,
-//            $allowedMethods,
-//        );
+        $tokenTypeHintParam = $this->requestParamsResolver->getFromRequestBasedOnAllowedMethods(
+            ParamsEnum::TokenTypeHint->value,
+            $request,
+            $allowedMethods,
+        );
 
+        $payload = null;
+        if (is_null($tokenTypeHintParam)) {
+            $payload = $this->resolveAccessTokenPayload($tokenParam) ??
+            $this->resolveRefreshTokenPayload($tokenParam);
+        } elseif ($tokenTypeHintParam === 'access_token') {
+            $payload = $this->resolveAccessTokenPayload($tokenParam);
+        } elseif ($tokenTypeHintParam === 'refresh_token') {
+            $payload = $this->resolveRefreshTokenPayload($tokenParam);
+        }
+
+        $payload = $payload ?? ['active' => false];
+
+        return $this->routes->newJsonResponse($payload);
+    }
+
+    protected function resolveAccessTokenPayload(string $tokenParam): ?array
+    {
         try {
             $accessToken = $this->bearerTokenValidator->ensureValidAccessToken($tokenParam);
         } catch (\Throwable $e) {
-            $this->loggerService->error('Token validation failed: ' . $e->getMessage());
-            return $this->routes->newJsonResponse(['active' => false]);
+            $this->loggerService->error('Access token validation failed: ' . $e->getMessage());
+            return null;
         }
+
+        // See \SimpleSAML\Module\oidc\Entities\AccessTokenEntity::convertToJWT
+        // for claims set on the access token.
+
         $scopeClaim = null;
         /** @psalm-suppress MixedAssignment */
         $accessTokenScopes = $accessToken->getPayloadClaim('scopes');
         if (is_array($accessTokenScopes)) {
-            $accessTokenScopes = array_filter(
-                $accessTokenScopes,
-                static fn($scope) => is_string($scope) && !empty($scope),
-            );
-            $scopeClaim = implode(' ', $accessTokenScopes);
+            $scopeClaim = $this->prepareScopeString($accessTokenScopes);
         }
 
-        $audience = is_array($audience = $accessToken->getAudience()) ? $audience[0] ?? null : null;
+        $clientId = is_array($audience = $accessToken->getAudience()) ? $audience[0] ?? null : null;
 
-        $payload = array_filter([
+        return array_filter([
             'active' => true,
             'scope' => $scopeClaim,
+            'client_id' => $clientId,
             'token_type' => 'Bearer',
             ClaimsEnum::Exp->value => $accessToken->getExpirationTime(),
             ClaimsEnum::Iat->value => $accessToken->getIssuedAt(),
             ClaimsEnum::Nbf->value => $accessToken->getNotBefore(),
             ClaimsEnum::Sub->value => $accessToken->getSubject(),
-            ClaimsEnum::Aud->value => $audience,
+            ClaimsEnum::Aud->value => $accessToken->getAudience(),
             ClaimsEnum::Iss->value => $accessToken->getIssuer(),
             ClaimsEnum::Jti->value => $accessToken->getJwtId(),
         ]);
+    }
 
-        return $this->routes->newJsonResponse($payload);
+    /**
+     * @psalm-suppress MixedAssignment
+     */
+    public function resolveRefreshTokenPayload(string $tokenParam): ?array
+    {
+        try {
+            $decryptedToken = $this->oAuth2Bridge->decrypt($tokenParam);
+            $tokenData = json_decode($decryptedToken, true, 512, JSON_THROW_ON_ERROR);
+        } catch (\Exception $e) {
+            $this->loggerService->error('Refresh token decrypting failed: ' . $e->getMessage());
+            return null;
+        }
+
+        if (!is_array($tokenData)) {
+            $this->loggerService->error('Refresh token has unexpected type.');
+            return null;
+        }
+
+        // See \League\OAuth2\Server\ResponseTypes\BearerTokenResponse::generateHttpResponse for claims set on
+        // the refresh token.
+
+        $expireTime = is_int($expireTime = $tokenData['expire_time'] ?? null) ? $expireTime : null;
+
+        if (is_null($expireTime)) {
+            $this->loggerService->error('Refresh token has no expiration time.');
+            return null;
+        }
+
+        if ($expireTime < time()) {
+            $this->loggerService->error('Refresh token has expired.');
+            return null;
+        }
+
+        $refreshTokenId = is_string($refreshTokenId = $tokenData['refresh_token_id'] ?? null) ? $refreshTokenId : null;
+
+        if (is_null($refreshTokenId)) {
+            $this->loggerService->error('Refresh token has no ID.');
+            return null;
+        }
+
+        try {
+            if ($this->refreshTokenRepository->isRefreshTokenRevoked($refreshTokenId)) {
+                $this->loggerService->error('Refresh token has been revoked.');
+                return null;
+            }
+        } catch (OidcServerException $e) {
+            $this->loggerService->error('Refresh token revocation check failed: ' . $e->getMessage());
+            return null;
+        }
+
+        $scopeClaim = null;
+        $refreshTokenScopes = $tokenData['scopes'] ?? null;
+        if (is_array($refreshTokenScopes)) {
+            $scopeClaim = $this->prepareScopeString($refreshTokenScopes);
+        }
+
+        $clientId = is_string($clientId = $tokenData['client_id'] ?? null) ? $clientId : null;
+
+        return array_filter([
+            'active' => true,
+            'scope' => $scopeClaim,
+            'client_id' => $clientId,
+            ClaimsEnum::Exp->value => $expireTime,
+            ClaimsEnum::Sub->value => is_string($tokenData['user_id'] ?? null) ? $tokenData['user_id'] : null,
+            ClaimsEnum::Aud->value => $clientId,
+            ClaimsEnum::Jti->value => $refreshTokenId,
+        ]);
+    }
+
+    protected function prepareScopeString(array $scopes): string
+    {
+        $scopes = array_filter(
+            $scopes,
+            static fn($scope) => is_string($scope) && !empty($scope),
+        );
+
+        return implode(' ', $scopes);
     }
 
     /**
@@ -138,19 +235,24 @@ protected function ensureAuthenticatedClient(Request $request): void
             $resolvedClientAuthenticationMethod->getClientAuthenticationMethod()->isNotNone()
         ) {
             $this->loggerService->debug(
-                'Client authenticated using supported OAuth2 client authentication method: ' .
-                $resolvedClientAuthenticationMethod->getClientAuthenticationMethod()->value,
+                sprintf(
+                    'Client %s authenticated using supported OAuth2 client authentication method %s.',
+                    $resolvedClientAuthenticationMethod->getClient()->getIdentifier(),
+                    $resolvedClientAuthenticationMethod->getClientAuthenticationMethod()->value,
+                ),
             );
+
             return;
         }
 
         $this->loggerService->debug('No regular OAuth2 client authentication method found.');
         $this->loggerService->debug('Trying API client authentication method.');
 
-
         $this->apiAuthorization->requireTokenForAnyOfScope(
             $request,
             [ApiScopesEnum::OAuth2TokenIntrospection, ApiScopesEnum::OAuth2All, ApiScopesEnum::All],
         );
+
+        $this->loggerService->debug('API client authenticated.');
     }
 }

src/Services/Api/Authorization.php

@@ -60,28 +60,26 @@ public function requireTokenForAnyOfScope(Request $request, array $requiredScope
         }
 
         if (empty($token = $this->findToken($request))) {
-            throw new AuthorizationException(Translate::noop('Token not provided.'));
+            throw new AuthorizationException(Translate::noop('Authorization token not provided.'));
         }
 
         if (empty($tokenScopes = $this->moduleConfig->getApiTokenScopes($token))) {
-            throw new AuthorizationException(Translate::noop('Token does not have defined scopes.'));
+            throw new AuthorizationException(Translate::noop('Authorization token does not have defined scopes.'));
         }
 
         $hasAny = !empty(array_filter($tokenScopes, fn($tokenScope) => in_array($tokenScope, $requiredScopes, true)));
 
         if (!$hasAny) {
-            throw new AuthorizationException(Translate::noop('Token is not authorized.'));
+            throw new AuthorizationException(Translate::noop('Authorization token is not authorized for this action.'));
         }
     }
 
     protected function findToken(Request $request): ?string
     {
-        /** @psalm-suppress InternalMethod */
-        if ($token = trim((string) $request->get(self::KEY_TOKEN))) {
-            return $token;
-        }
-
-        if ($request->headers->has(self::KEY_AUTHORIZATION)) {
+        if (
+            is_string($authorizationHeader = $request->headers->get(self::KEY_AUTHORIZATION))
+            && str_starts_with($authorizationHeader, 'Bearer ')
+        ) {
             return trim(
                 (string) preg_replace(
                     '/^\s*Bearer\s/',
@@ -91,6 +89,12 @@ protected function findToken(Request $request): ?string
             );
         }
 
+        // Fallback to token parameter.
+        /** @psalm-suppress InternalMethod */
+        if ($token = trim((string) $request->get(self::KEY_TOKEN))) {
+            return $token;
+        }
+
         return null;
     }
 }

tests/unit/src/Server/Validators/BearerTokenValidatorTest.php

@@ -51,6 +51,7 @@ public function setUp(): void
         $this->accessTokenRepositoryMock = $this->createMock(AccessTokenRepository::class);
         $this->serverRequest = new ServerRequest();
         $this->moduleConfigMock = $this->createMock(ModuleConfig::class);
+        $this->moduleConfigMock->method('getIssuer')->willReturn('issuer123');
 
         $this->jwsMock = $this->createMock(Jws::class);
         $this->jwksMock = $this->createMock(Jwks::class);
@@ -62,6 +63,7 @@ public function setUp(): void
 
         $this->accessTokenState = [
             'id' => 'accessToken123',
+            'iss' => 'issuer123',
             'scopes' => '{"openid":"openid","profile":"profile"}',
             'expires_at' => date('Y-m-d H:i:s', time() + 60),
             'user_id' => 'user123',
@@ -80,6 +82,7 @@ public function setUp(): void
         $this->parsedJwsMock = $this->createMock(ParsedJws::class);
         $this->parsedJwsMock->method('getJwtId')->willReturn('accessToken123');
         $this->parsedJwsMock->method('getAudience')->willReturn([$this->clientId]);
+        $this->parsedJwsMock->method('getIssuer')->willReturn('issuer123');
     }
 
     protected function sut(