OAuth2StatelessJWTIntrospectionFactory cannot be used with standard JWT

[mitar]

I use the following strategy:

	strategy := compose.CommonStrategy{
		CoreStrategy: compose.NewOAuth2JWTStrategy(
			config.PrivateKey,
			compose.NewOAuth2HMACStrategy(fositeConfig, config.OAuthSecret, nil),
		),
		OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(fositeConfig, config.PrivateKey),
	}

And the following list of factories:

		compose.OAuth2AuthorizeExplicitFactory,
		compose.OAuth2AuthorizeImplicitFactory,
		compose.OAuth2ClientCredentialsGrantFactory,
		compose.OAuth2RefreshTokenGrantFactory,
		compose.OAuth2TokenRevocationFactory,
		compose.OAuth2TokenIntrospectionFactory,

		compose.OpenIDConnectExplicitFactory,
		compose.OpenIDConnectImplicitFactory,
		compose.OpenIDConnectHybridFactory,
		compose.OpenIDConnectRefreshFactory,

		compose.OAuth2PKCEFactory,

I would assume that I could just replace OAuth2TokenRevocationFactory and OAuth2TokenIntrospectionFactory with OAuth2StatelessJWTIntrospectionFactory, but this does not seem to be really possible. I get the following error when running it:

panic: interface conversion: compose.CommonStrategy is not oauth2.JWTAccessTokenStrategy: missing method ValidateJWT [recovered]
	panic: interface conversion: compose.CommonStrategy is not oauth2.JWTAccessTokenStrategy: missing method ValidateJWT

Expected behavior

It just works. And instead of introspection looking in the database, it just looks into the token.

Environment

• Version: v0.32.1
• Environment: Ubuntu

[aeneasr]

Does this help?

[lazeratops]

I am seeing the same issue - the link you pasted does not seem to use the stateless introspection factory, so while I have experimented with implementing similar strategies shown there I still run into the same problem when composing with the CommonStrategy as described above: panic: interface conversion: compose.CommonStrategy is not oauth2.JWTAccessTokenStrategy: missing method ValidateJWT

[mitar]

To me it looks like a bit of bitrot here. Like that things were added in parallel and not really made to work with each other. I have not also found any integration test for this, just unit tests for OAuth2StatelessJWTIntrospectionFactory itself, but nothing like the example above tries to do.

[lazeratops]

As a temporary workaround I've tried out creating a StatelessJWTValidator manually and passing just the JWTStrategy of my CommonStrategy to it. Then appending that validator to my provider via a type assertion after running compose.Compose for the rest of my factories:

provider := compose.Compose(........)
validator := &oauth2.StatelessJWTValidator{
		JWTAccessTokenStrategy: s.oauth2.strategy.JWTStrategy.(oauth2.JWTAccessTokenStrategy),
		ScopeStrategy:          s.oauth2.config.GetScopeStrategy(),
	}
f := provider.(*fosite.Fosite)
f.TokenIntrospectionHandlers.Append(validator)

This "works" in the couple of very simple tests I've done, but I would love to figure out a proper solution to how to use the stateless introspection.

[mitar]

I made a PR to fix this: #519

Please check it out and provide any feedback.