feat: update JWT Response for OAuth Token Introspection to draft 08

README.md

@@ -40,7 +40,7 @@ enabled by default, check the configuration section on how to enable them.
 
 The following draft specifications are implemented by oidc-provider.
 - [JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens - draft 02][jwt-at]
-- [JWT Response for OAuth Token Introspection - draft 07][jwt-introspection]
+- [JWT Response for OAuth Token Introspection - draft 08][jwt-introspection]
 - [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) - draft 02][jarm]
 - [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - individual draft 02][dpop]
 - [OAuth 2.0 JWT Secured Authorization Request (JAR)][jar]
@@ -205,7 +205,7 @@ See the list of available emitted [event names](/docs/events.md) and their descr
 [wmrm]: https://tools.ietf.org/html/draft-sakimura-oauth-wmrm-00
 [jar]: https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-19
 [device-flow]: https://tools.ietf.org/html/rfc8628
-[jwt-introspection]: https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-07
+[jwt-introspection]: https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-08
 [sponsor-auth0]: https://auth0.com/overview?utm_source=GHsponsor&utm_medium=GHsponsor&utm_campaign=oidc-provider&utm_content=auth
 [suggest-feature]: https://github.com/panva/node-oidc-provider/issues/new?template=feature-request.md
 [bug]: https://github.com/panva/node-oidc-provider/issues/new?template=bug-report.md

docs/README.md

@@ -1051,7 +1051,7 @@ _**default value**_:
 
 ### features.jwtIntrospection
 
-[draft-ietf-oauth-jwt-introspection-response-06](https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-06) - JWT Response for OAuth Token Introspection  
+[draft-ietf-oauth-jwt-introspection-response-08](https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-08) - JWT Response for OAuth Token Introspection  
 
 Enables JWT responses for Token Introspection features   
 

lib/actions/introspection.js

@@ -3,6 +3,7 @@ const Debug = require('debug');
 const debug = new Debug('oidc-provider:introspection');
 const uidToGrantId = new Debug('oidc-provider:uid');
 
+const epochTime = require('../helpers/epoch_time');
 const presence = require('../helpers/validate_presence');
 const getTokenAuth = require('../shared/token_auth');
 const noCache = require('../shared/no_cache');
@@ -78,19 +79,21 @@ module.exports = function introspectionAction(provider) {
         const {
           introspectionEncryptedResponseAlg: encrypt,
           introspectionSignedResponseAlg: sign,
-          introspectionEndpointAuthMethod: method,
         } = client;
 
         const accepts = ctx.accepts('json', JWT);
-        if (encrypt && method === 'none' && accepts !== JWT) {
+        if (encrypt && accepts !== JWT) {
           throw new InvalidRequest(`introspection must be requested with Accept: ${JWT} for this client`);
         }
 
         await next();
 
         if ((encrypt || sign) && accepts === JWT) {
           const token = new IdToken({}, { ctx });
-          token.extra = ctx.body;
+          token.extra = {
+            ...ctx.body,
+            iat: ctx.body.iat ? epochTime() : undefined,
+          };
 
           ctx.body = await token.issue({ use: 'introspection' });
           ctx.type = 'application/jwt; charset=utf-8';

lib/helpers/defaults.js

@@ -817,7 +817,7 @@ const DEFAULTS = {
     /*
      * features.jwtIntrospection
      *
-     * title: [draft-ietf-oauth-jwt-introspection-response-06](https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-06) - JWT Response for OAuth Token Introspection
+     * title: [draft-ietf-oauth-jwt-introspection-response-08](https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-08) - JWT Response for OAuth Token Introspection
      *
      * description: Enables JWT responses for Token Introspection features
      *

lib/helpers/features.js

@@ -51,10 +51,10 @@ const DRAFTS = new Map(Object.entries({
     version: 2,
   },
   jwtIntrospection: {
-    name: 'JWT Response for OAuth Token Introspection - draft 07',
+    name: 'JWT Response for OAuth Token Introspection - draft 08',
     type: 'IETF OAuth Working Group draft',
-    url: 'https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-07',
-    version: [2, 3, 4, 5, 6, 7],
+    url: 'https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-08',
+    version: 8,
   },
   jwtResponseModes: {
     name: 'JWT Secured Authorization Response Mode for OAuth 2.0 - draft 02',

lib/models/id_token.js

@@ -114,6 +114,7 @@ module.exports = function getIdToken(provider) {
           alg = client.introspectionSignedResponseAlg;
           signOptions = {
             noIat: true,
+            typ: 'token-introspection+jwt',
           };
           encryption = {
             alg: client.introspectionEncryptedResponseAlg,

test/jwt_introspection/jwt_introspection.config.js

@@ -25,7 +25,7 @@ module.exports = {
     redirect_uris: ['https://client.example.com/cb'],
   },
   {
-    client_id: 'client-encrypted-none',
+    client_id: 'client-encrypted',
     client_secret: 'secret',
     introspection_endpoint_auth_method: 'none',
     introspection_encrypted_response_alg: 'PBES2-HS256+A128KW',

test/jwt_introspection/jwt_introspection.test.js

@@ -1,4 +1,5 @@
 const { expect } = require('chai');
+const timekeeper = require('timekeeper');
 
 const bootstrap = require('../test_helper');
 const JWT = require('../../lib/helpers/jwt');
@@ -9,6 +10,8 @@ const route = '/token/introspection';
 describe('jwtIntrospection features', () => {
   before(bootstrap(__dirname));
 
+  afterEach(() => timekeeper.reset());
+
   describe('enriched discovery', () => {
     it('shows the url now', function () {
       return this.agent.get('/.well-known/openid-configuration')
@@ -31,6 +34,8 @@ describe('jwtIntrospection features', () => {
     });
 
     it('returns the response as jwt', async function () {
+      const now = Date.now();
+      timekeeper.freeze(now);
       const at = new this.provider.AccessToken({
         accountId: 'accountId',
         grantId: 'foo',
@@ -39,6 +44,7 @@ describe('jwtIntrospection features', () => {
       });
 
       let json;
+      let iat;
       const token = await at.save();
       await this.agent.post(route)
         .auth('client-signed', 'secret')
@@ -49,9 +55,11 @@ describe('jwtIntrospection features', () => {
         .expect(200)
         .expect('content-type', 'application/json; charset=utf-8')
         .expect(({ body }) => {
-          json = body;
+          ({ iat, ...json } = body);
         });
 
+      timekeeper.travel(now + (10 * 1000));
+
       return this.agent.post(route)
         .auth('client-signed', 'secret')
         .send({
@@ -62,7 +70,10 @@ describe('jwtIntrospection features', () => {
         .expect(200)
         .expect('content-type', 'application/jwt; charset=utf-8')
         .expect(({ text }) => {
-          expect(JWT.decode(text).payload).to.eql(json);
+          const { payload: { iat: jwtIat, ...payload }, header } = JWT.decode(text);
+          expect(payload).to.eql(json);
+          expect(jwtIat).to.eql(iat + 10);
+          expect(header).to.have.property('typ', 'token-introspection+jwt');
         });
     });
 
@@ -95,14 +106,14 @@ describe('jwtIntrospection features', () => {
       const at = new this.provider.AccessToken({
         accountId: 'accountId',
         grantId: 'foo',
-        clientId: 'client-encrypted-none',
+        clientId: 'client-encrypted',
         scope: 'scope',
       });
 
       const token = await at.save();
       await this.agent.post(route)
         .send({
-          client_id: 'client-encrypted-none',
+          client_id: 'client-encrypted',
           token,
         })
         .type('form')
@@ -115,7 +126,7 @@ describe('jwtIntrospection features', () => {
 
       return this.agent.post(route)
         .send({
-          client_id: 'client-encrypted-none',
+          client_id: 'client-encrypted',
           token,
         })
         .type('form')