2 files changed, 19 insertions, 4 deletions

diff --git a/gn3/auth/authentication/oauth2/views.py b/gn3/auth/authentication/oauth2/views.py
index e440c6e..3a14a48 100644
--- a/gn3/auth/authentication/oauth2/views.py
+++ b/gn3/auth/authentication/oauth2/views.py
@@ -1,8 +1,11 @@
 """Endpoints for the oauth2 server"""
 import uuid
 
-from flask import Blueprint, current_app as app
+from flask import Response, Blueprint, current_app as app
 
+from gn3.auth.authorisation.errors import ForbiddenAccess
+
+from .resource_server import require_oauth
 from .endpoints.revocation import RevocationEndpoint
 from .endpoints.introspection import IntrospectionEndpoint
 
@@ -36,7 +39,15 @@ def revoke_token():
         RevocationEndpoint.ENDPOINT_NAME)
 
 @auth.route("/introspect", methods=["POST"])
-def introspect_token():
+@require_oauth("introspect")
+def introspect_token() -> Response:
     """Provide introspection information for the token."""
-    return app.config["OAUTH2_SERVER"].create_endpoint_response(
-        IntrospectionEndpoint.ENDPOINT_NAME)
+    # This is dangerous to provide publicly
+    authorised_clients = app.config.get(
+        "OAUTH2_CLIENTS_WITH_INTROSPECTION_PRIVILEGE", [])
+    with require_oauth.acquire("introspect") as the_token:
+        if the_token.client.client_id in authorised_clients:
+            return app.config["OAUTH2_SERVER"].create_endpoint_response(
+                IntrospectionEndpoint.ENDPOINT_NAME)
+
+    raise ForbiddenAccess("You cannot access this endpoint")
diff --git a/gn3/auth/authorisation/errors.py b/gn3/auth/authorisation/errors.py
index ff28cd4..3bc7a04 100644
--- a/gn3/auth/authorisation/errors.py
+++ b/gn3/auth/authorisation/errors.py
@@ -8,6 +8,10 @@ class AuthorisationError(Exception):
     """
     error_code: int = 400
 
+class ForbiddenAccess(AuthorisationError):
+    """Raised for forbidden access."""
+    error_code: int = 403
+
 class UserRegistrationError(AuthorisationError):
     """Raised whenever a user registration fails"""