THREESCALE-10591 token instrospection field removed

[eguzki]

What

Fix https://issues.redhat.com/browse/THREESCALE-10591

From RH-SSO 7.5 doc

In previous versions, Red Hat Single Sign-On advertised two introspection endpoints: token_introspection_endpoint and introspection_endpoint. 

The latter is the one defined by [RFC-8414](https://datatracker.ietf.org/doc/html/rfc8414#section-2). The former was deprecated and is now removed.

The implementation is backward compatible with OIDC configuration services returning deprecated token_introspection_endpoint. When both token_introspection_endpoint and introspection_endpoint fields are in the response of the OIDC configuration service, the latter takes preference as it is the one defined by RFC-8414.

[BREAKING CHANGE] When the introspection URL is not found for whatever reason, the request is rejected with 403 Forbidden. Before this change, the request was allowed by the introspection policy. IMO. if the introspection policy is added to the chain, it is expected that the token is inspected. If checking the token is not done because the URL is missing, the request is rejected. There were some tests that were passing (IMO unexpectedly) because of this issue. I have fixed them as well.

• Added unittests for the token introspection for the use_3scale_oidc_issuer_endpoint auth type (they were never implemented)
• Added e2e tests for the token introspection for the use_3scale_oidc_issuer_endpoint auth type.

Verification Steps

• Setup Red Hat Single Sign-On >= 7.5 instance. 1 realms basic, clients and users
• Install 3scale
  • Integrating 3scale with Red Hat Single Sign-On as the OpenID Connect identity provider
• The OIDC service configuration endpoint only provides introspection_endpoint (realm

curl https://keycloak.example.com/auth/realms/basic/.well-known/openid-configuration 2>/dev/null | yq e '.introspection_endpoint'
https://keycloak.example.com/auth/realms/basic/protocol/openid-connect/token/introspect

And the token_introspection_endpoint is gone

curl https://keycloak.example.com/auth/realms/basic/.well-known/openid-configuration 2>/dev/null | yq e '.token_introspection_endpoint'
null

• Configure a single Product A with an OpenID Provider + realm basic and deployment type as APIcast self-managed
• Create 3scale application App01 for product A. That will generate Client ID and Client Secret.
• Create mapping rule for Product A GET /foo
• Configure a Token Introspection policy with auth_type set to use_3scale_oidc_issuer_endpoint

{
  "name": "apicast.policy.token_introspection",
  "configuration": {
      "auth_type": "use_3scale_oidc_issuer_endpoint"
  }
},  

• Start dev environment

make development
make dependencies

• Run apicast locally

THREESCALE_DEPLOYMENT_ENV=staging APICAST_LOG_LEVEL=debug APICAST_WORKER=1 APICAST_CONFIGURATION_LOADER=lazy APICAST_CONFIGURATION_CACHE=0 THREESCALE_PORTAL_ENDPOINT=https://token@3scale-admin.example.com ./bin/apicast

• Generate token from a realm basic using client credentials from the application App01

curl -v -k -H "Content-Type: application/x-www-form-urlencoded" \
        -d 'grant_type=password' \
        -d 'client_id=${CLIENT_ID_FROM_3SCALE_APPLICATION}' \
        -d 'client_secret=${CLIENT_SECRET_FROM_3SCALE_APPLICATION}' \
        -d 'username=${USER_CREATED_IN_KEYCLOAK}' \
        -d 'password=***' "https://keycloak.example.com/auth/realms/basic/protocol/openid-connect/token"

# capture access token
ACCESS_TOKEN=eyJhb...

• Run query with the valid jwt

# capture apicast IP
APICAST_IP=$(docker inspect apicast_build_0-development-1 | yq e -P '.[0].NetworkSettings.Networks.apicast_build_0_default.IPAddress' -)

curl -i -k -H "Host: example.com:443" -H "Accept: application/json" -H "Authorization: Bearer ${ACCESS_TOKEN}" "http://${APICAST_IP}:8080/foo"

The response should be HTTP/1.1 200 OK

HTTP/1.1 200 OK
Server: openresty
Date: Fri, 19 Jan 2024 23:36:32 GMT
Content-Type: application/json
Content-Length: 2008
Connection: keep-alive
x-3scale-echo-api: echo-api/1.0.3
vary: Origin
x-content-type-options: nosniff
x-envoy-upstream-service-time: 0

• Revoke token.

Go to Red Hat Single Sign-On admin application, and revoke the session (token) from the user menu. It's Log out in RH SSO site. Try to be fast so the token does not expire.

Run the same request, it should get 403 Forbidden.

curl -v -k -H "Host: example.com:443" -H "Accept: application/json" -H "Authorization: Bearer ${ACCESS_TOKEN}" "http://${APICAST_IP}:8080/foo"

HTTP/1.1 403 Forbidden
Server: openresty
Date: Fri, 19 Jan 2024 23:35:10 GMT
Content-Type: text/plain; charset=us-ascii
Transfer-Encoding: chunked
Connection: keep-alive

Authentication failed

APIcast logs should show something like "token introspection for access token ***** : token not active

If the token has expired, the request is rejected at the rewrite phase, while the token introspection policy is executed at the access phase (which is after the rewrite phase).

[tkan145]

Can we also output an error when self.introspection_url is nil? So in case self.introspection url is nil then at least we know what happened just by checking the log instead of guessing why the APIcast returned 403 (context.service.error auth_failed)

[eguzki]

Added 👍

Log level in WARN, as I consider this as an edge case. When the introspection policy is added, the endpoint should be available

[tkan145]

Hm, adding the log line here might be misleading, if self.introspection_url is valid but introspect_token(self, access_token).active == false then it will first log the token introspection for the token.. line then output token instropection cannot be performed..... Perhaps wrap it in the else statement?

[eguzki]

good catch!

Fixed

[tkan145]

LGTM!