From dee42dd14dc7786b1ccf9465bb28dfe74024166c Mon Sep 17 00:00:00 2001 From: Frederick Muriuki Muriithi Date: Thu, 9 Mar 2023 04:39:37 +0300 Subject: auth: introspection: Protect introspection endpoint The introspection endpoint could contain privileged information, thus requires that the endpoint be protected. This commit ensures that a user has authenticated to the system and that the client they are using be one of the allowed clients. --- gn3/auth/authentication/oauth2/views.py | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) (limited to 'gn3/auth/authentication/oauth2') diff --git a/gn3/auth/authentication/oauth2/views.py b/gn3/auth/authentication/oauth2/views.py index e440c6e..3a14a48 100644 --- a/gn3/auth/authentication/oauth2/views.py +++ b/gn3/auth/authentication/oauth2/views.py @@ -1,8 +1,11 @@ """Endpoints for the oauth2 server""" import uuid -from flask import Blueprint, current_app as app +from flask import Response, Blueprint, current_app as app +from gn3.auth.authorisation.errors import ForbiddenAccess + +from .resource_server import require_oauth from .endpoints.revocation import RevocationEndpoint from .endpoints.introspection import IntrospectionEndpoint @@ -36,7 +39,15 @@ def revoke_token(): RevocationEndpoint.ENDPOINT_NAME) @auth.route("/introspect", methods=["POST"]) -def introspect_token(): +@require_oauth("introspect") +def introspect_token() -> Response: """Provide introspection information for the token.""" - return app.config["OAUTH2_SERVER"].create_endpoint_response( - IntrospectionEndpoint.ENDPOINT_NAME) + # This is dangerous to provide publicly + authorised_clients = app.config.get( + "OAUTH2_CLIENTS_WITH_INTROSPECTION_PRIVILEGE", []) + with require_oauth.acquire("introspect") as the_token: + if the_token.client.client_id in authorised_clients: + return app.config["OAUTH2_SERVER"].create_endpoint_response( + IntrospectionEndpoint.ENDPOINT_NAME) + + raise ForbiddenAccess("You cannot access this endpoint") -- cgit v1.2.3