Switch from OIDC UserInfo to OAuth 2.0 Token Introspection

The UserInfo endpoint is for fetching the users profile (name, email, phone number, picture, and so on). Token introspection is for inspecting the access token and determining the authorities the user has (subject (principal), entitlements, and scopes granted).
2025-03-24 10:58:40 +01:00 · 2025-03-24 10:58:40 +01:00 · dce824b5dd
commit dce824b5dd
parent 09babb829a
3 changed files with 4 additions and 3 deletions
--- a/api/init.py
+++ b/api/init.py
@ -69,7 +69,7 @@ def setup() -> None:

    token = request.cookies.get(token_cookie)
    user_info = oauth.authorize(token)
-    if not user_info:
+    if not user_info or not user_info.active:
        return Response(status=403)

    if not check_access(user_info['entitlements']):
--- a/api/oauth.py
+++ b/api/oauth.py
@ -22,8 +22,9 @@ class Oauth:
        return response.json()['access_token']

    def authorize(self, token: str) -> dict:
+        body = {'token': token}
        response = self.session.post(self.introspection_url,
-                                     data=token)
+                                     data=body)
        try:
            response.raise_for_status()
        except requests.HTTPError:
--- a/config.ini.example
+++ b/config.ini.example
@ -57,6 +57,6 @@ required_entitlement = urn:mace:some:entitlement
 [oauth]
 authorization_url = https://oauth.example/authorize
 token_url = https://oauth.example/exchange
-introspection_url = https://oauth.example/verify
+introspection_url = https://oauth.example/introspect
 client_id = some_id_string
 client_secret = some_secret_string