#406 openidc: add token_introspection_endpoint to well-known config
Merged 2 months ago by ngompa. Opened 2 months ago by adamwill.

@@ -750,6 +750,8 @@ 

                                                  'Authorization'),

              'token_endpoint': '%s%s' % (self.cfg.endpoint_url,

                                          'Token'),

+             'token_introspection_endpoint': '%s%s' % (self.cfg.endpoint_url,

+                                         'TokenInfo'),

              'userinfo_endpoint': '%s%s' % (self.cfg.endpoint_url,

                                             'UserInfo'),

              'jwks_uri': '%s%s' % (self.cfg.endpoint_url,

flask-oidc expects the server metadata (found at
.well-known/openid-configuration, and constructed by this
method) to contain a 'token_introspection_endpoint' key in order
to validate tokens via introspection, but we aren't setting it.
Per @puiterwijk it's a de facto but not de jure standard, and he
was trying to follow the spec strictly when writing it. However,
we need this to make token auth work with waiverdb now it's
relying on flask-oidc to validate the token via introspection,
so let's add it. See
https://github.com/release-engineering/waiverdb/issues/219

Signed-off-by: Adam Williamson awilliam@redhat.com

Historical note: token introspection was initially added by @puiterwijk in 19919eed896560bbde0d244a83f37e7753570448 , removed by @dkirwan in 015f4b0595b7b8028343b0fa803846973f153a8e (reason not clear since the commit message is just "WIP"), and restored by @abompard in 51c523a55a3a6c41b45ad0d9981bc410f450c6bf , but without this key that flask-oidc expects. Patrick's original version didn't have it either, but that was back in 2016 and this stuff probably all looked different then.

flask-oidc's code for introspecting tokens is https://github.com/fedora-infra/flask-oidc/blob/develop/flask_oidc/__init__.py#L50 , you can see the expectation that this key exists at https://github.com/fedora-infra/flask-oidc/blob/develop/flask_oidc/__init__.py#L54 . That's exactly the error we're getting from waiverdb staging in Fedora rn (but not waiverdb test in RH internal, where the auth provider is keycloak and the well-known config does have this key).

This looks reasonable to me. :thumbsup:

Pull-Request has been merged by ngompa

2 months ago

d'oh. flask-oidc expects introspection_endpoint, not token_introspection_endpoint. keycloak sets both, and I think I got flipped around while working on this by looking at the keycloak config. I'll send a follow-up PR to add introspection_endpoint - seems reasonable to set both in ipsilon too.

Metadata