Use introspection

Whenever getting JWT tokens directly, instead of using the userinfo endpoint, use the introspection one.
EGI-Federation · Oct 7, 2024 · 8a0d145 · 8a0d145
1 parent 89bd333
commit 8a0d145
Showing 1 changed file with 47 additions and 1 deletion.
diff --git a/egi_notebooks_hub/egiauthenticator.py b/egi_notebooks_hub/egiauthenticator.py
@@ -3,6 +3,7 @@
 Uses OpenID Connect with aai.egi.eu
 """
 
+import base64
 import hashlib
 import json
 import os
@@ -108,9 +109,13 @@ async def get(self):
                 "token_type": "bearer",
             }
             user = await self.login_user(token_info)
+            print("&" * 80)
+            print(user)
             if user is None:
                 raise web.HTTPError(403, self.authenticator.custom_403_message)
             auth_state = await user.get_auth_state()
+            print("*" * 80)
+            print(auth_state)
             if auth_state and not auth_state.get("refresh_token", None):
                 self.log.debug("Refresh token is not available")
                 refresh_token = await self.exchange_for_refresh_token(jwt_token)
@@ -174,6 +179,23 @@ def _userdata_url_default(self):
             % self.checkin_host
         )
 
+    introspect_url = Unicode(
+        config=True,
+        help="""
+        The URL to where this authenticator makes a request to
+        introspect user tokens received via the jwt authentication
+
+        For more context, see `RFC7622
+        <https://datatracker.ietf.org/doc/html/rfc7662>`_.
+        """,
+    )
+    @default("introspect_url")
+    def _introspect_url_default(self):
+        return (
+            "https://%s/auth/realms/egi/protocol/openid-connect/token/introspect"
+            % self.checkin_host
+        )
+
     openid_configuration_url = Unicode(
         config=True, help="""The OpenID configuration URL"""
     )
@@ -273,9 +295,33 @@ def user_info_to_username(self, user_info):
             )
         return username
 
+    async def introspect_token(self, data):
+        if "access_token" not in data:
+            raise web.HTTPError(500, f"No access token available")
+
+        # Taken from build_token_info_request_headers of oauthenticator
+        headers = {
+            "Accept": "application/json",
+            "Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
+            "User-Agent": "JupyterHub",
+        }
+        b64key = base64.b64encode(
+            bytes(f"{self.client_id}:{self.client_secret}", "utf8")
+        )
+        headers.update({"Authorization": f'Basic {b64key.decode("utf8")}'})
+        params = {"token": data["access_token"]}
+        return await self.httpfetch(
+            self.introspect_url,
+            label="Introspecting token...",
+            method="POST",
+            headers=headers,
+            body=urlencode(params).encode("utf-8"),
+            validate_cert=self.validate_server_cert,
+        )
+
     async def jwt_authenticate(self, handler, data=None):
         try:
-            user_info = await self.token_to_user(data)
+            user_info = await self.introspect_token(data)
         except HTTPClientError:
             raise web.HTTPError(403)
         # this code below comes is from oauthenticator authenticate