diff options
Diffstat (limited to 'gn3/auth/authentication/oauth2')
-rw-r--r-- | gn3/auth/authentication/oauth2/views.py | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/gn3/auth/authentication/oauth2/views.py b/gn3/auth/authentication/oauth2/views.py index e440c6e..3a14a48 100644 --- a/gn3/auth/authentication/oauth2/views.py +++ b/gn3/auth/authentication/oauth2/views.py @@ -1,8 +1,11 @@ """Endpoints for the oauth2 server""" import uuid -from flask import Blueprint, current_app as app +from flask import Response, Blueprint, current_app as app +from gn3.auth.authorisation.errors import ForbiddenAccess + +from .resource_server import require_oauth from .endpoints.revocation import RevocationEndpoint from .endpoints.introspection import IntrospectionEndpoint @@ -36,7 +39,15 @@ def revoke_token(): RevocationEndpoint.ENDPOINT_NAME) @auth.route("/introspect", methods=["POST"]) -def introspect_token(): +@require_oauth("introspect") +def introspect_token() -> Response: """Provide introspection information for the token.""" - return app.config["OAUTH2_SERVER"].create_endpoint_response( - IntrospectionEndpoint.ENDPOINT_NAME) + # This is dangerous to provide publicly + authorised_clients = app.config.get( + "OAUTH2_CLIENTS_WITH_INTROSPECTION_PRIVILEGE", []) + with require_oauth.acquire("introspect") as the_token: + if the_token.client.client_id in authorised_clients: + return app.config["OAUTH2_SERVER"].create_endpoint_response( + IntrospectionEndpoint.ENDPOINT_NAME) + + raise ForbiddenAccess("You cannot access this endpoint") |