Add introspection implementation

README.md

@@ -24,6 +24,7 @@ The following RFCs are implemented:
 * [RFC6750 " The OAuth 2.0 Authorization Framework: Bearer Token Usage"](https://tools.ietf.org/html/rfc6750)
 * [RFC7519 "JSON Web Token (JWT)"](https://tools.ietf.org/html/rfc7519)
 * [RFC7636 "Proof Key for Code Exchange by OAuth Public Clients"](https://tools.ietf.org/html/rfc7636)
+* [RFC7662 "OAuth 2.0 Token Introspection"](https://tools.ietf.org/html/rfc7662)
 
 This library was created by Alex Bilbie. Find him on Twitter at [@alexbilbie](https://twitter.com/alexbilbie).
 

src/AuthorizationServer.php

@@ -10,6 +10,7 @@
 namespace League\OAuth2\Server;
 
 use Defuse\Crypto\Key;
+use Lcobucci\JWT\Parser;
 use League\Event\EmitterAwareInterface;
 use League\Event\EmitterAwareTrait;
 use League\OAuth2\Server\Exception\OAuthServerException;
@@ -197,6 +198,22 @@ public function respondToAccessTokenRequest(ServerRequestInterface $request, Res
         throw OAuthServerException::unsupportedGrantType();
     }
 
+    /**
+     * Return an introspection response.
+     *
+     * @param ServerRequestInterface $request
+     * @param ResponseInterface      $response
+     *
+     * @return ResponseInterface
+     */
+    public function respondToIntrospectionRequest(ServerRequestInterface $request, ResponseInterface $response)
+    {
+        $introspector = new Introspector($this->accessTokenRepository, $this->privateKey, new Parser);
+        $introspectionResponse = $introspector->respondToIntrospectionRequest($request);
+
+        return $introspectionResponse->generateHttpResponse($response);
+    }
+
     /**
      * Get the token type that grants will return in the HTTP response.
      *

src/Grant/AuthCodeGrant.php

@@ -204,6 +204,7 @@ public function getIdentifier()
      * Fetch the client_id parameter from the query string.
      *
      * @return string|null
+     *
      * @throws OAuthServerException
      */
     protected function getClientIdFromRequest($request)

src/Introspector.php

@@ -0,0 +1,165 @@
+<?php
+
+namespace League\OAuth2\Server;
+
+use Exception;
+use Lcobucci\JWT\Parser;
+use Lcobucci\JWT\Signer\Keychain;
+use Lcobucci\JWT\Signer\Rsa\Sha256;
+use Lcobucci\JWT\Token;
+use Lcobucci\JWT\ValidationData;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\ResponseTypes\IntrospectionResponse;
+use Psr\Http\Message\ServerRequestInterface;
+
+class Introspector
+{
+    /**
+     * @var AccessTokenRepositoryInterface
+     */
+    private $accessTokenRepository;
+
+    /**
+     * @var CryptKey
+     */
+    private $privateKey;
+
+    /**
+     * @var Parser
+     */
+    private $parser;
+
+    /**
+     * New Introspector instance.
+     *
+     * @param AccessTokenRepositoryInterface $accessTokenRepository
+     * @param CryptKey                       $privateKey
+     * @param Parser                         $parser
+     */
+    public function __construct(
+        AccessTokenRepositoryInterface $accessTokenRepository,
+        CryptKey $privateKey,
+        Parser $parser
+    ) {
+        $this->accessTokenRepository = $accessTokenRepository;
+        $this->privateKey = $privateKey;
+        $this->parser = $parser;
+    }
+
+    /**
+     * Return an introspection response.
+     *
+     * @param ServerRequestInterface $request
+     *
+     * @return IntrospectionResponse
+     */
+    public function respondToIntrospectionRequest(ServerRequestInterface $request)
+    {
+        $jwt = $request->getParsedBody()['token'] ?? null;
+
+        try {
+            $token = $this->parser->parse($jwt);
+
+            $this->verifyToken($token);
+            $this->checkIfTokenIsExpired($token);
+            $this->checkIfTokenIsRevoked($token);
+
+            return $this->createActiveResponse($token);
+        } catch (Exception $ex) {
+            return $this->createInactiveResponse();
+        }
+    }
+
+    /**
+     * Validate the JWT token.
+     *
+     * @param Token $token
+     *
+     * @throws OAuthServerException
+     */
+    private function verifyToken(Token $token)
+    {
+        $keychain = new Keychain();
+        $key = $keychain->getPrivateKey($this->privateKey->getKeyPath(), $this->privateKey->getPassPhrase());
+
+        if (!$token->verify(new Sha256, $key->getContent())) {
+            throw OAuthServerException::accessDenied('Access token could not be verified');
+        }
+    }
+
+    /**
+     * Ensure access token hasn't expired
+     *
+     * @param Token $token
+     *
+     * @throws OAuthServerException
+     */
+    private function checkIfTokenIsExpired(Token $token)
+    {
+        $data = new ValidationData(time());
+
+        if (!$token->validate($data)) {
+            throw OAuthServerException::accessDenied('Access token is invalid');
+        }
+    }
+
+    /**
+     * Check if the given access token is revoked.
+     *
+     * @param Token $token
+     *
+     * @throws OAuthServerException
+     */
+    private function checkIfTokenIsRevoked(Token $token)
+    {
+        if ($this->accessTokenRepository->isAccessTokenRevoked($token->getClaim('jti'))) {
+            throw OAuthServerException::accessDenied('Access token has been revoked');
+        }
+    }
+
+    /**
+     * Create active introspection response.
+     *
+     * @param Token $token
+     *
+     * @return IntrospectionResponse
+     */
+    private function createActiveResponse(Token $token)
+    {
+        $response = new IntrospectionResponse();
+
+        $response->setIntrospectionData(
+            [
+                'active' => true,
+                'token_type' => 'access_token',
+                'scope' => $token->getClaim('scopes', ''),
+                'client_id' => $token->getClaim('aud'),
+                'exp' => $token->getClaim('exp'),
+                'iat' => $token->getClaim('iat'),
+                'sub' => $token->getClaim('sub'),
+                'jti' => $token->getClaim('jti'),
+            ]
+            );
+
+        return $response;
+    }
+
+    /**
+     * Create inactive introspection response
+     *
+     * @return IntrospectionResponse
+     */
+    private function createInactiveResponse()
+    {
+        $response = new IntrospectionResponse();
+
+        $response->setIntrospectionData(
+            [
+                'active' => false,
+            ]
+        );
+
+        return $response;
+    }
+}

src/ResponseTypes/IntrospectionResponse.php

@@ -0,0 +1,41 @@
+<?php
+
+namespace League\OAuth2\Server\ResponseTypes;
+
+use Psr\Http\Message\ResponseInterface;
+
+class IntrospectionResponse extends AbstractResponseType
+{
+    /**
+     * @var array
+     */
+    private $introspectionData;
+
+    /**
+     * @param array $introspectionData
+     */
+    public function setIntrospectionData(array $introspectionData)
+    {
+        $this->introspectionData = $introspectionData;
+    }
+
+    /**
+     * @return array
+     */
+    public function getIntrospectionData()
+    {
+        return $this->introspectionData;
+    }
+
+    /**
+     * @param ResponseInterface $response
+     *
+     * @return ResponseInterface
+     */
+    public function generateHttpResponse(ResponseInterface $response)
+    {
+        $response->getBody()->write(json_encode($this->introspectionData));
+
+        return $response;
+    }
+}