Add token introspection feature as a policy. [THREESCALE-312]

[tmogi001]

Hi team,

I created a new policy to enable RFC7662 OAuth2.0 Token Introspection.
This PR is a rework of the previous request (#435) as a policy.

And Also added sample configuration in the examples/policies directory.

[mikz]

This header can be moved to the _M.new, right?

[mikz]

I think it would be a bit nicer for introspect_token to return a table so this would look like:

if introspect_token(self, access_token).active then
  ...
else
  ... 
end

Or rename introspect_token to active_token because it actually returns true/false if the token is active or not.

[mikz]

Is this active field defined in some RFC? Could we link to the relevant RFC section in a comment?

[reedstrm]

Came by to look at your PR review automation, stayed to help out w/ a little PR doc pointing. :-) Seems the appropriate RFC doc entry point is: https://tools.ietf.org/html/rfc7662#section-2.2 Where active is the only REQUIRED member of the returned JSON introspection result.

[mikz]

@reedstrm very nice. Thanks! This looks like the right doc.

@tmogi001 for cases where is RFC available I try to implement it as:
https://github.com/3scale/apicast/blob/5168008db2abb2e217d23f925599fd33da5248cb/gateway/src/resty/http_ng/cache_store.lua#L85-L110

Because the RFC is immutable the comments won't get out of sync and act as relevant context with links to the other parts of the RFC. In this case just the relevant parts to the code in question to document the requests and responses for example.

BTW it is pity OpenID Connect Discovery does not define token introspection endpoint. Some IDPs provide it (like Keycloak as token_introspection_endpoint), but I don't see it being part of the spec.

[mikz]

Would be good to link to the RFC section describing that introspection endpoint receives POST and what parameters.

[reedstrm]

https://tools.ietf.org/html/rfc7662#section-2.1 - only REQUIRED param is the token

[mikz]

This line would be better in after_each block so it is not repeated in every test.

[mikz]

It probably should expect right http method (POST) too ? And some other parameters like token_type_hint ? And possibly the headers?

[mikz]

@davidor I think we should provide a way to do this in http_ng constructor. Because it is done one several places IIRC.

[mikz]

@davidor we probably should provide a default value for these options/headers in the http_ng constructor to simplify its initialization.

[mikz]

@tmogi001 this is very good! 👍 🥇 My comments will be just nitpicks. This should be just minimal effort to be mergeable.
One of the things missing would be an integration test similar to other policy tests: https://github.com/3scale/apicast/blob/master/t/apicast-policy-cors.t
I think we could help with those a bit.

[reedstrm]

@mikz - As a random drive-by developer, with a group working on making our PR review policies more explicit (and automating as much as possible :-) - I landed here following examples of use of the CHANGELOG github app) I just wanted to say that I liked your review style here - not only do you review the code-as-presented, you call out issues w/ the shared testing infrastructure, to make future coding easier.

[mikz]

@reedstrm thank you very much! Means a lot.

Regarding the Changelog app (if you mean https://github.com/mikz/probot-changelog).
I'd say we are mostly happy. But because the changelog is changed in almost every PR it is hard when there is a lot of concurrent changes because they conflict. That means every PR then has to be resolved after there is another one merged. That can be quite frustrating. Maybe not as much when your testsuite runs in less than few minutes, but if you have to wait several minutes it is easy to forget.

I'm quite obsessed with automation and other approaches I was considering were:

• https://github.com/conventional-changelog/conventional-changelog
• generating changelog from PR description + labels

But a changelog is very simple approach and can scale up to some level. Even some huge projects like Ruby on Rails still use one changelog file per component and it works.

[tmogi001]

@mikz , @reedstrm Thank you for reviewing. I pushed fixed code and also added integration test case.

[mikz]

@tmogi001 any reason why not to add the 'Authorization' header here too?

[mikz]

Is the if res really necessary? Shouldn't this be just if err ?

[mikz]

This can return nil when cjson.decode returns nil, err. That can happen for example when the response body is not valid json (html usually).

[mikz]

Just when fixing #626 I realised there is plenty of error cases.

If the API would return null then this would be ngx.null and return the same error as in #626.

This function should always return a table even when the json response can be a string, number, null, ...

And it should normalize active because if ngx.null is truthy so { "active": null } would evaluate to true.

[mikz]

There is one potential crash that should be fixed:
https://github.com/3scale/apicast/pull/619/files#r170911776

The rest is just nitpicks and should be easy to fix.
And we will need a changelog entry.

[mikz]

A typo here. Should be Client ID.

[mikz]

Looks like this name is not the same as in the tests/code. Everywhere it uses client_id.

[mikz]

The same issue as https://github.com/3scale/apicast/pull/619/files#r170914144.

[tmogi001]

I fixed my source code and added test cases (unit, integration) of invalid response from IdP.
And also added a change log entry.

[mikz]

This does not match the use in the policy. Here it is introspectionUrl but there it is introspection_url.
We plan to have JSON schema validation during Policy initialization to verify those cases in CI, but right now it is just manual process, sorry.

[mikz]

This will incorrectly validate case when the response is { "active": null }. It should check for active == true.

[mikz]

This will return whatever the JSON was. So if the JSON is null this would crash a bit later.

I think it should verify type(token_info) == 'table' and return the error otherwise instead of checking just the decode_err.

[tmogi001]

In my opinion, checking the decode_err is enough. Because it must be an error when token_info is null.
So, cjson.decode() always return error and decode_err must not be null when token_info JSON is null.

I checked cjson.decode(""),cjson.decode("{}"), cjson.decode(nil) and cjson.decode(ngx.null) returned decode_err.

[mikz]

If the response body is null then the JSON will be correctly decoded to ngx.null like:

cjson.decode('null')

That will later crash on trying to access .active (attempt to index a userdata value):

cjson.decode('null').active

The same can happen when a number is returned like:

cjson.decode('42').active

What I'm saying is introspect_token always has to return a table, because later it tries to get the key .access from it. And the only way to verify it always returns table is to check the type.
Because the response body is basically user input it can be any valid JSON, including just string "null" or numbers.

[tmogi001]

Thank you for information. I missed 'null' and numbers.

Do you think it is good as following? This worked fine with test code.

if decode_err or not (type(token_info) == 'table') then
  ngx.log(ngx.ERR, 'failed to parse token introspection response:', decode_err)
  return { active = false }
end

[mikz]

I think it could be easier to read as:

if type(token_info) == 'table' then
  return token_info
else
  ngx.log(ngx.ERR, 'failed to parse token introspection response: ', decode_err or 'not a table')
  return { active = false }
end

[tmogi001]

Thank you! I think this is nice.

[mikz]

Thank you @tmogi001 for this excellent PR! 🎉

You did a really good job.