Skip to content

Backport: tighten v1 access token introspection to V5.4#4187

Merged
reinkrul merged 2 commits intoV5.4from
fix/introspect-jwt-validation-v5.4
Apr 14, 2026
Merged

Backport: tighten v1 access token introspection to V5.4#4187
reinkrul merged 2 commits intoV5.4from
fix/introspect-jwt-validation-v5.4

Conversation

@reinkrul
Copy link
Copy Markdown
Member

@reinkrul reinkrul commented Apr 14, 2026

Summary

  • Backport of master commit 41eecd4 to the V5.4 branch, adapted for jwx v1 and the old vdr/didservice / vdr/types packages.
  • Adds validation to the v1 access token introspection: typ must be at+jwt, iss/sub/service must be non-empty, and the iss claim must match the DID extracted from the kid header.
  • Adds v5.4.31 release notes.

Test plan

  • go test ./auth/...

@qltysh
Copy link
Copy Markdown

qltysh Bot commented Apr 14, 2026
edited
Loading

Qlty

Coverage Impact

⬇️ Merging this pull request will decrease total coverage on V5.4 by 0.01%.

Modified Files with Diff Coverage (1)

RatingFile% DiffUncovered Line #s
Coverage rating: B Coverage rating: B
auth/services/oauth/authz_server.go75.8%515-516, 518-519...
Total75.8%
🤖 Increase coverage with AI coding...

In the `fix/introspect-jwt-validation-v5.4` branch, add test coverage for this new code:

- `auth/services/oauth/authz_server.go` -- Lines 515-516, 518-519, 552-553, and 561-562

🚦 See full report on Qlty Cloud »

🛟 Help

  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

reinkrul and others added 2 commits April 14, 2026 14:33
@reinkrul @claude
Harden v1 access token introspection
3a4b418 
The v1 introspection endpoint accepted any JWT signed by a key present on
the node, allowing VP JWTs to be replayed as access tokens. This adds three
validation checks to IntrospectAccessToken:

- Require typ header to be "at+jwt" (set on issuance, verified on introspection)
- Require non-empty iss, sub, and service claims
- Verify iss claim matches the DID extracted from the kid header

Backport of 41eecd4 to V5.4.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@reinkrul
Add v5.4.31 release notes
33bc3da
@reinkrul reinkrul force-pushed the fix/introspect-jwt-validation-v5.4 branch from 2f2194c to 33bc3da Compare April 14, 2026 12:35
@reinkrul reinkrul merged commit ba3095f into V5.4 Apr 14, 2026
8 checks passed
@reinkrul reinkrul deleted the fix/introspect-jwt-validation-v5.4 branch April 14, 2026 12:42
@reinkrul reinkrul mentioned this pull request Apr 14, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stevenvegt stevenvegt stevenvegt approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@reinkrul @stevenvegt