Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: implement introspection API in oauth2 client #224

Closed
leeyc0 opened this issue Apr 29, 2020 · 4 comments
Closed

Feature request: implement introspection API in oauth2 client #224

leeyc0 opened this issue Apr 29, 2020 · 4 comments

Comments

@leeyc0
Copy link

@leeyc0 leeyc0 commented Apr 29, 2020

Sometimes we need to introspect with oauth2 provider the validity of a token. As such a built-in client API for token introspection like authlib.integrations.requests_client.OAuth2Session.revoke_token will be useful.

@leeyc0 leeyc0 changed the title implement introspection API in oauth2 client Feature request: implement introspection API in oauth2 client Apr 29, 2020
@leeyc0 leeyc0 closed this as completed Apr 29, 2020
@leeyc0 leeyc0 reopened this Apr 29, 2020
@leeyc0 leeyc0 closed this as completed Apr 29, 2020
@leeyc0 leeyc0 reopened this Apr 29, 2020
@lepture
Copy link
Owner

@lepture lepture commented May 2, 2020

I can't understand your question. Can you explain it in detail with examples?

@leeyc0
Copy link
Author

@leeyc0 leeyc0 commented May 2, 2020

Currently, I need to directly make a requests call to do token introspection

# introspect token for validity
auth = HTTPBasicAuth(
    oidcdemo_client_id,
    oidcdemo_client_secret
)
access_token = token['access_token']
data = {
    'token': access_token
}
reply = requests.post(introspect_url, auth=auth, data=data)

It would be useful to have a API such as
introspect_token(url, token=None, token_type_hint=None, body=None, auth=None, headers=None, **kwargs) to wrap the operation.

@lepture
Copy link
Owner

@lepture lepture commented May 7, 2020

Added in master code.

@lepture lepture closed this as completed May 7, 2020
@SalahuddinX
Copy link

@SalahuddinX SalahuddinX commented Dec 17, 2021

@lepture I am trying to implement introspection on client side suing Okta as my authorization server but continuously getting error
{"error": "missing_authorization", "error_description": "Missing \"Authorization\" in headers."}

My Implementation


class MyIntrospectTokenValidator(IntrospectTokenValidator):
    def introspect_token(self, token_string):
        print(f"Introspecting token {token_string}")
        url = f'{okta_keys.get("base_url")}/v1/introspect'
        data = {'token': token_string, 'token_type_hint': 'access_token'}
        auth = (okta_keys.get('client_id'), okta_keys.get('client_secret'))
        resp = requests.post(url, headers=headers, data=data, auth=auth)
        resp.raise_for_status()
        return resp.json()


require_oauth = ResourceProtector()
require_oauth.register_token_validator(MyIntrospectTokenValidator())

okta = oauth.register(
    name='okta',
    client_id=secrets["internal_client_id"],
    client_secret=secrets["internal_client_secret"],
    access_token_url=f'{okta_keys.get("base_url")}/v1/token',
    authorize_url=f'{okta_keys.get("base_url")}/v1/authorize',
    api_base_url=f'{okta_keys.get("base_url")}',
    introspect=f'{okta_keys.get("base_url")}/v1/introspect',
    jwks_uri=f'{okta_keys.get("base_url")}/v1/keys',
    userinfo_endpoint=f'{okta_keys.get("base_url")}/v1/userinfo',
    client_kwargs={'scope': 'openid email profile'},
)

@app.route('/authorize', methods=["GET", "POST"])
def authorize():
    _okta = oauth.create_client('okta')  # create the google oauth client
    token = _okta.authorize_access_token()  # Access token from google (needed to get user info)
    session.permanent = True  # make the session permanant so it keeps existing after broweser gets closed
    headers = {'Authorization': f'Bearer {token.get("access_token")}'}
    print(f"\n\n{headers}\n\n")
    return redirect(url_for('index', _external=True))

@app.route('/oauth/hello-world-api', methods=["GET", "POST"])
@require_oauth(['openid', 'email', 'profile'])
def hello_world():
    return str('Hello World')


I have been trying to resovle this for a while but could not succeed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
No open projects
Version 0.15
  
Awaiting triage
Development

No branches or pull requests

3 participants