aboutsummaryrefslogtreecommitdiff
path: root/gn3/auth/authentication/oauth2/endpoints/introspection.py
blob: 29ade6a20dca3829fd75f09fcd1bf8358c5f8a74 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
"""Handle introspection of tokens."""
import datetime
from urllib.parse import urlparse

from flask import request as flask_request
from authlib.oauth2.rfc7662 import (
    IntrospectionEndpoint as _IntrospectionEndpoint)

from gn3.auth.authentication.oauth2.models.oauth2token import OAuth2Token

from .utilities import query_token as _query_token

def get_token_user_sub(token: OAuth2Token) -> str:# pylint: disable=[unused-argument]
    """
    Return the token's subject as defined in
    https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2
    """
    ## For now a dummy return to prevent issues.
    return "sub"

class IntrospectionEndpoint(_IntrospectionEndpoint):
    """Introspect token."""
    def query_token(self, token_string: str, token_type_hint: str):
        """Query the token."""
        return _query_token(self, token_string, token_type_hint)

    def introspect_token(self, token: OAuth2Token) -> dict:
        """Return the introspection information."""
        url = urlparse(flask_request.url)
        return {
            "active": True,
            "scope": token.get_scope(),
            "client_id": token.client.client_id,
            "username": token.user.name,
            "token_type": token.token_type,
            "exp": int(token.expires_at.timestamp()),
            "iat": int(token.issued_at.timestamp()),
            "nbf": int(
                (token.issued_at - datetime.timedelta(seconds=120)).timestamp()),
            # "sub": get_token_user_sub(token),
            "aud": token.client.client_id,
            "iss": f"{url.scheme}://{url.netloc}",
            "jti": token.token_id
        }

    def check_permission(self, token, client, request):# pylint: disable=[unused-argument]
        """Check that the client has permission to introspect token."""
        return client.client_type == "internal"