fix: introspection response

pipeline/authn/authenticator_oauth2_introspection.go

@@ -96,6 +96,42 @@ type AuthenticatorOAuth2IntrospectionResult struct {
 	TokenUse  string                 `json:"token_use"`
 }
 
+// Audience value mau be a single sensitive string.
+type AuthenticatorOAuth2IntrospectionResultFork struct {
+	Active    bool                   `json:"active"`
+	Extra     map[string]interface{} `json:"ext"`
+	Subject   string                 `json:"sub,omitempty"`
+	Username  string                 `json:"username"`
+	Audience  string                 `json:"aud"`
+	TokenType string                 `json:"token_type"`
+	Issuer    string                 `json:"iss"`
+	ClientID  string                 `json:"client_id,omitempty"`
+	Scope     string                 `json:"scope,omitempty"`
+	Expires   int64                  `json:"exp"`
+	TokenUse  string                 `json:"token_use"`
+}
+
+func ModifyResponse(old interface{}) *AuthenticatorOAuth2IntrospectionResult {
+	i, ok := old.(*AuthenticatorOAuth2IntrospectionResultFork)
+	if !ok {
+		return nil
+	}
+	audience := append([]string{}, i.Audience)
+	return &AuthenticatorOAuth2IntrospectionResult{
+		Active:    i.Active,
+		Extra:     i.Extra,
+		Subject:   i.Subject,
+		Username:  i.Username,
+		Audience:  audience,
+		TokenType: i.TokenType,
+		Issuer:    i.Issuer,
+		ClientID:  i.ClientID,
+		Scope:     i.Scope,
+		Expires:   i.Expires,
+		TokenUse:  i.TokenUse,
+	}
+}
+
 func (a *AuthenticatorOAuth2Introspection) tokenFromCache(config *AuthenticatorOAuth2IntrospectionConfiguration, token string, ss fosite.ScopeStrategy) *AuthenticatorOAuth2IntrospectionResult {
 	if !config.Cache.Enabled {
 		return nil
@@ -112,7 +148,7 @@ func (a *AuthenticatorOAuth2Introspection) tokenFromCache(config *AuthenticatorO
 
 	i, ok := item.(*AuthenticatorOAuth2IntrospectionResult)
 	if !ok {
-		return nil
+		return ModifyResponse(item)
 	}
 
 	return i

pipeline/authn/authenticator_oauth2_introspection_test.go

@@ -25,22 +25,21 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"reflect"
 	"sync"
 	"testing"
 	"time"
 
-	"github.com/ory/x/assertx"
-
 	"github.com/julienschmidt/httprouter"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"github.com/tidwall/sjson"
-
 	"github.com/ory/oathkeeper/driver/configuration"
 	"github.com/ory/oathkeeper/internal"
 	. "github.com/ory/oathkeeper/pipeline/authn"
 	"github.com/ory/viper"
+	"github.com/ory/x/assertx"
 	"github.com/ory/x/logrusx"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/tidwall/sjson"
 )
 
 func TestAuthenticatorOAuth2Introspection(t *testing.T) {
@@ -841,3 +840,42 @@ func TestAuthenticatorOAuth2Introspection(t *testing.T) {
 		})
 	})
 }
+
+func Test_ModifyResponse(t *testing.T) {
+	type args struct {
+		old interface{}
+	}
+	tests := []struct {
+		name string
+		args args
+		want *AuthenticatorOAuth2IntrospectionResult
+	}{
+		{
+			name: "Test No Error",
+			args: args{
+				old: &AuthenticatorOAuth2IntrospectionResultFork{
+					Audience: "application",
+				},
+			},
+			want: &AuthenticatorOAuth2IntrospectionResult{
+				Audience: []string{"application"},
+			},
+		},
+		{
+			name: "Test Different Struct (Error)",
+			args: args{
+				old: &AuthenticatorOAuth2IntrospectionPreAuthConfiguration{
+					Audience: "application",
+				},
+			},
+			want: nil,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := ModifyResponse(tt.args.old); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("modifyResponse() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}