feat: replace jwt token with reference token to access config-api (admin ui plugin) #6562

jans-auth-server/model/src/main/java/io/jans/as/model/config/adminui/OIDCClientSettings.java

@@ -9,6 +9,7 @@
 @JsonIgnoreProperties(ignoreUnknown = true)
 public class OIDCClientSettings {
 
+    private String introspectionEndpoint;
     private String tokenEndpoint;
     private String redirectUri;
     private String postLogoutUri;
@@ -30,12 +31,13 @@ public OIDCClientSettings(String opHost, String clientId, String clientSecret) {
         this.clientSecret = clientSecret;
     }
 
-    public OIDCClientSettings(String opHost, String clientId, String clientSecret, String tokenEndpoint) {
+    public OIDCClientSettings(String opHost, String clientId, String clientSecret, String tokenEndpoint, String introspectionEndpoint) {
 
         this.opHost = opHost;
         this.clientId = clientId;
         this.clientSecret = clientSecret;
         this.tokenEndpoint = tokenEndpoint;
+        this.introspectionEndpoint = introspectionEndpoint;
     }
 
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
@@ -97,18 +99,27 @@ public void setFrontchannelLogoutUri(String frontchannelLogoutUri) {
         this.frontchannelLogoutUri = frontchannelLogoutUri;
     }
 
+    public String getIntrospectionEndpoint() {
+        return introspectionEndpoint;
+    }
+
+    public void setIntrospectionEndpoint(String introspectionEndpoint) {
+        this.introspectionEndpoint = introspectionEndpoint;
+    }
+
     @Override
     public String toString() {
         return "OIDCClientSettings{" +
-                "opHost='" + opHost + '\'' +
-                ", clientId='" + clientId + '\'' +
-                ", clientSecret='" + clientSecret + '\'' +
+                "introspectionEndpoint='" + introspectionEndpoint + '\'' +
                 ", tokenEndpoint='" + tokenEndpoint + '\'' +
                 ", redirectUri='" + redirectUri + '\'' +
                 ", postLogoutUri='" + postLogoutUri + '\'' +
                 ", frontchannelLogoutUri='" + frontchannelLogoutUri + '\'' +
                 ", scopes=" + scopes +
                 ", acrValues=" + acrValues +
+                ", opHost='" + opHost + '\'' +
+                ", clientId='" + clientId + '\'' +
+                ", clientSecret='" + clientSecret + '\'' +
                 '}';
     }
 }

jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/service/BaseService.java

@@ -186,4 +186,24 @@ else if (jwtClaims.getClaim(key) instanceof JSONArray) {
         });
         return claims;
     }
+
+    public Optional<Map<String, Object>> introspectToken(String accessToken, String introspectionEndpoint) {
+        log.info("Token introspection from auth-server.");
+        Invocation.Builder request = ClientFactory.instance().getClientBuilder(introspectionEndpoint);
+        request.header("Authorization", "Bearer " + accessToken);
+
+        MultivaluedMap<String, String> body = new MultivaluedHashMap<>();
+        body.putSingle("token", accessToken);
+
+        Response response = request.post(Entity.form(body));
+
+        log.info("Introspection response status code: {}", response.getStatus());
+
+        if (response.getStatus() == 200) {
+            Optional<Map<String, Object>> entity = Optional.of(response.readEntity(Map.class));
+            log.info("Introspection response entity: {}", entity.get().toString());
+            return entity;
+        }
+        return Optional.empty();
+    }
 }

jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/service/auth/OAuth2Service.java

@@ -5,7 +5,6 @@
 import io.jans.as.client.TokenRequest;
 import io.jans.as.common.service.common.EncryptionService;
 import io.jans.as.model.common.GrantType;
-import io.jans.as.model.jwt.Jwt;
 import io.jans.ca.plugin.adminui.model.auth.ApiTokenRequest;
 import io.jans.ca.plugin.adminui.model.auth.TokenResponse;
 import io.jans.ca.plugin.adminui.model.config.AUIConfiguration;
@@ -21,10 +20,7 @@
 import org.slf4j.Logger;
 
 import java.io.UnsupportedEncodingException;
-import java.util.Arrays;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
 
 @Singleton
 public class OAuth2Service extends BaseService {
@@ -64,17 +60,27 @@ public TokenResponse getApiProtectionToken(ApiTokenRequest apiTokenRequest, Stri
                 tokenResponse = getToken(tokenRequest, auiConfiguration.getAuiBackendApiServerTokenEndpoint(), apiTokenRequest.getUjwt(), apiTokenRequest.getPermissionTag());
             }
 
-            final Jwt tokenJwt = Jwt.parse(tokenResponse.getAccessToken());
-            Map<String, Object> claims = getClaims(tokenJwt);
+            Optional<Map<String, Object>> introspectionResponse = introspectToken(tokenResponse.getAccessToken(), auiConfiguration.getAuiBackendApiServerIntrospectionEndpoint());
+
+
             TokenResponse tokenResp = new TokenResponse();
             tokenResp.setAccessToken(tokenResponse.getAccessToken());
             tokenResp.setIdToken(tokenResponse.getIdToken());
             tokenResp.setRefreshToken(tokenResponse.getRefreshToken());
+
+            if (!introspectionResponse.isPresent()) {
+                return tokenResp;
+            }
             final String SCOPE = "scope";
-            if (claims.get(SCOPE) instanceof List) {
-                tokenResp.setScopes((List) claims.get(SCOPE));
+            Map<String, Object> claims = introspectionResponse.get();
+            if (claims.get(SCOPE) != null) {
+                if (claims.get(SCOPE) instanceof List) {
+                    tokenResp.setScopes((List) claims.get(SCOPE));
+                }
+                if (claims.get(SCOPE) instanceof String) {
+                    tokenResp.setScopes(Arrays.asList(((String) claims.get(SCOPE)).split(" ")));
+                }
             }
-
             if (claims.get("iat") != null) {
                 tokenResp.setIat(Long.valueOf(claims.get("iat").toString()));
             }

jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/service/config/AUIConfigurationService.java

@@ -114,6 +114,7 @@ private AUIConfiguration addPropertiesToAUIConfiguration(String appType, AdminCo
         auiConfig.setAuiBackendApiServerClientSecret(appConf.getMainSettings().getOidcConfig().getAuiBackendApiClient().getClientSecret());
         auiConfig.setAuiBackendApiServerScope(StringUtils.join(appConf.getMainSettings().getOidcConfig().getAuiBackendApiClient().getScopes(), "+"));
         auiConfig.setAuiBackendApiServerTokenEndpoint(appConf.getMainSettings().getOidcConfig().getAuiBackendApiClient().getTokenEndpoint());
+        auiConfig.setAuiBackendApiServerIntrospectionEndpoint(appConf.getMainSettings().getOidcConfig().getAuiBackendApiClient().getIntrospectionEndpoint());
 
         return auiConfig;
     }