Introspect tokens
As stated in OAuth 2.0 Token Introspection RFC introspect provides a way to check token validity.
POST /introspect HTTP/1.1
Host: server.example.com
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer 23410913-abewfq.123483
token=2YotnFZFEjr1zCsicMWpAA
---
HTTP/1.1 200 OK
Content-Type: application/json
{
"active": true,
"client_id": "l238j323ds-23ij4",
"username": "jdoe",
"scope": "read write dolphin",
"sub": "Z5O3upPC88QrAjx00dis",
"aud": "https://protected.example.net/resource",
"iss": "https://server.example.com/",
"exp": 1419356238,
"iat": 1419350238,
"extension_field": "twenty-seven"
}
Copyright (c) 2015 IETF Trust and the persons identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust’s Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info).
Integration
Code example
- lib/my_app_web/views/oauth_view.ex
defmodule MyAppWeb.OauthView do
use MyAppWeb, :view
alias Boruta.Oauth.IntrospectResponse
def render("introspect.json", %{response: %IntrospectResponse{active: false}}) do
%{"active" => false}
end
def render("introspect.json", %{response: %IntrospectResponse{
active: active,
client_id: client_id,
username: username,
scope: scope,
sub: sub,
iss: iss,
exp: exp,
iat: iat
}}) do
%{
active: true,
client_id: client_id,
username: username,
scope: scope,
sub: sub,
iss: iss,
exp: exp,
iat: iat
}
end
def render("error.json", %{error: error, error_description: error_description}) do
%{
error: error,
error_description: error_description
}
end
end
- lib/my_app_web/controllers/oauth_controller.ex
defmodule MyAppWeb.OauthController do
@behaviour Boruta.Oauth.Application
use MyAppWeb, :controller
alias Boruta.Oauth
alias Boruta.Oauth.Error
alias Boruta.Oauth.IntrospectResponse
alias MyAppWeb.OauthView
def introspect(%Plug.Conn{} = conn, _params) do
conn |> Oauth.introspect(__MODULE__)
end
@impl Boruta.Oauth.Application
def introspect_success(conn, %IntrospectResponse{} = response) do
conn
|> put_view(OauthView)
|> render("introspect.json", response: response)
end
@impl Boruta.Oauth.Application
def introspect_error(conn, %Error{
status: status,
error: error,
error_description: error_description
}) do
conn
|> put_status(status)
|> put_view(OauthView)
|> render("error.json", error: error, error_description: error_description)
end
end
- lib/my_app_web/router.ex
defmodule MyAppWeb.Router do
use MyAppWeb, :router
pipeline :api do
plug :accepts, ["json"]
end
scope "/oauth", MyAppWeb do
pipe_through :api
post "/introspect", OauthController, :introspect
end
end