Merge pull request 'Switch from OIDC UserInfo to OAuth 2.0 Token Introspection' (#1) from token-introspection into main

Reviewed-on: #1
2025-03-24 13:59:07 +01:00 · 2025-03-24 13:59:07 +01:00 · dcacd0cc1d
commit dcacd0cc1d
parent 09babb829a 69fd819ee5
3 changed files with 4 additions and 3 deletions
--- a/api/init.py
+++ b/api/init.py
@ -69,7 +69,7 @@ def setup() -> None:

    token = request.cookies.get(token_cookie)
    user_info = oauth.authorize(token)
-    if not user_info:
+    if not user_info or not user_info['active']:
        return Response(status=403)

    if not check_access(user_info['entitlements']):
--- a/api/oauth.py
+++ b/api/oauth.py
@ -22,8 +22,9 @@ class Oauth:
        return response.json()['access_token']

    def authorize(self, token: str) -> dict:
+        body = {'token': token}
        response = self.session.post(self.introspection_url,
-                                     data=token)
+                                     data=body)
        try:
            response.raise_for_status()
        except requests.HTTPError:
--- a/config.ini.example
+++ b/config.ini.example
@ -57,6 +57,6 @@ required_entitlement = urn:mace:some:entitlement
 [oauth]
 authorization_url = https://oauth.example/authorize
 token_url = https://oauth.example/exchange
-introspection_url = https://oauth.example/verify
+introspection_url = https://oauth.example/introspect
 client_id = some_id_string
 client_secret = some_secret_string