Use OAuth 2.0 Token Introspection during log in #141

Merged

niat8586 merged 1 commits from token-introspection-login into develop 2025-03-25 08:45:26 +01:00

Conversation 5 Commits 1 Files Changed 4 +60 -2

ansv7779 commented 2025-03-24 23:08:38 +01:00

Owner

Copy Link

Currently, it uses an endpoint similar to OpenID Connect UserInfo but with some differences. The endpoint does not require the "openid" scope for example. There is an ongoing effort to replace the OAuth 2.0 authorization server with a more standard compliant one which would break the endpoint (since it would require the "openid" scope). It is currently not possible to request the "openid" scope to future-proof since Spring would act differently if that scope is present and assume full OpenID Connect. That leads to requiring an id token to have been issued which the current authorization server does not do.

To get around this the implementation is changed to use a standard compliant Token Introspection endpoint to get access to the subject of the access token (which is the only part that's necessary right now). Since the endpoint is standard compliant it will work with any future authorization server.

It may be necessary to run docker compose up --build to get the latest version of the Toker containers.

Currently, it uses an endpoint similar to OpenID Connect UserInfo but with some differences. The endpoint does not require the "openid" scope for example. There is an ongoing effort to replace the OAuth 2.0 authorization server with a more standard compliant one which would break the endpoint (since it would require the "openid" scope). It is currently not possible to request the "openid" scope to future-proof since Spring would act differently if that scope is present and assume full OpenID Connect. That leads to requiring an id token to have been issued which the current authorization server does not do. To get around this the implementation is changed to use a standard compliant Token Introspection endpoint to get access to the subject of the access token (which is the only part that's necessary right now). Since the endpoint is standard compliant it will work with any future authorization server. It may be necessary to run `docker compose up --build` to get the latest version of the Toker containers.

ansv7779 added 1 commit 2025-03-24 23:08:39 +01:00

Use OAuth 2.0 Token Introspection during log in ... 572f6e148f

Currently, it uses an endpoint similar to OpenID Connect UserInfo but with some differences. The endpoint does not require the "openid" scope for example. There is an ongoing effort to replace the OAuth 2.0 authorization server with a more standard compliant one which would break the endpoint (since it would require the "openid" scope). It is currently not possible to request the "openid" scope to future-proof since Spring would act differently if that scope is present and assume full OpenID Connect. That leads to requiring an id token to have been issued which the current authorization server does not do.

To get around this the implementation is changed to use a standard compliant Token Introspection endpoint to get access to the subject of the access token (which is the only part that's necessary right now). Since the endpoint is standard compliant it will work with any future authorization server.

It may be necessary to run "docker compose up --build" to get the latest version of the Toker containers.

ansv7779 commented 2025-03-24 23:09:15 +01:00

Author

Owner

Copy Link

How to test

1. Log in as different users (do not use the switch user function)
2. See that you're logged in as the different users

## How to test 1. Log in as different users (do not use the switch user function) 2. See that you're logged in as the different users

gitea-actions commented 2025-03-24 23:13:19 +01:00

First-time contributor

Copy Link

Deployed to https://scipro-token-introspection-login.branch.dsv.su.se

Deployed to https://scipro-token-introspection-login.branch.dsv.su.se

niat8586 approved these changes 2025-03-25 08:45:15 +01:00

niat8586 left a comment

Owner

Copy Link

👍

👍

niat8586 merged commit e95421b8f2 into develop 2025-03-25 08:45:26 +01:00

niat8586 deleted branch token-introspection-login 2025-03-25 08:45:26 +01:00

niat8586 referenced this issue from a commit 2025-03-25 08:45:28 +01:00

Use OAuth 2.0 Token Introspection during log in (#141)

niat8586 referenced this pull request from DMC/seshat 2025-03-25 13:00:10 +01:00

Use OAuth 2.0 Token Introspection during log in #27

niat8586 referenced this issue from a commit 2025-03-25 13:49:42 +01:00

Use OAuth2 Token Introspection during login

andan commented 2025-03-26 09:20:27 +01:00

Owner

Copy Link

Question: I tried to log in on scipro-dev and I was presented the attached error message?

Question: I tried to log in on scipro-dev and I was presented the attached error message? 

image.png

86 KiB

ansv7779 commented 2025-03-26 09:45:15 +01:00

Author

Owner

Copy Link

Question: I tried to log in on scipro-dev and I was presented the attached error message?

Try again, should work now.

> Question: I tried to log in on scipro-dev and I was presented the attached error message? Try again, should work now.

Sign in to join this conversation.

Reviewers

No Reviewers

niat8586

Labels

Clear labels

bug

Something is not working

discussion

duplicate

This issue or pull request already exists

enhancement

New feature

frozen

The issue is not solved, but it will be investigated in the future it the issue arises again

help wanted

Need some help

invalid

Something is wrong

new

To be discussed at the next meeting

po

approved

po

changes

PO has requested changes

po

needed

question

More information is needed

size

1

size

2

size

3

wontfix

This won't be fixed

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

4 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: DMC/scipro#141

No description provided.