From 0fe5aae28476340f15923f13d155c78c53a09de9 Mon Sep 17 00:00:00 2001 From: Gerard Snaauw Date: Tue, 8 Oct 2024 13:34:45 +0200 Subject: [PATCH] Revert "return error if introspection request is missing a token" This reverts commit 8bbddc3f36035a914b540e8718e847a45ea4d3b1. --- auth/api/iam/api.go | 9 +++------ auth/api/iam/api_test.go | 4 ++-- auth/api/iam/generated.go | 16 ---------------- docs/_static/auth/v2.yaml | 4 ---- 4 files changed, 5 insertions(+), 28 deletions(-) diff --git a/auth/api/iam/api.go b/auth/api/iam/api.go index fdb162aca..a0986f25d 100644 --- a/auth/api/iam/api.go +++ b/auth/api/iam/api.go @@ -337,9 +337,6 @@ func (r Wrapper) RetrieveAccessToken(_ context.Context, request RetrieveAccessTo // IntrospectAccessToken allows the resource server (XIS/EHR) to introspect details of an access token issued by this node func (r Wrapper) IntrospectAccessToken(_ context.Context, request IntrospectAccessTokenRequestObject) (IntrospectAccessTokenResponseObject, error) { input := request.Body.Token - if input == "" { - return nil, core.InvalidInputError("missing token") - } response, err := r.introspectAccessToken(input) if err != nil { return nil, err @@ -368,9 +365,9 @@ func (r Wrapper) IntrospectAccessTokenExtended(_ context.Context, request Intros func (r Wrapper) introspectAccessToken(input string) (*ExtendedTokenIntrospectionResponse, error) { // Validate token if input == "" { - // `token` is REQUIRED per RFC7662 - // The input is also empty when using the wrong Content-Type - return nil, core.InvalidInputError("missing token") + // Return 200 + 'Active = false' when token is invalid or malformed + log.Logger().Debug("IntrospectAccessToken: missing token") + return nil, nil } token := AccessToken{} diff --git a/auth/api/iam/api_test.go b/auth/api/iam/api_test.go index 0ba34dfb2..32bc20475 100644 --- a/auth/api/iam/api_test.go +++ b/auth/api/iam/api_test.go @@ -629,8 +629,8 @@ func TestWrapper_IntrospectAccessToken(t *testing.T) { // validate all fields are there after introspection t.Run("error - no token provided", func(t *testing.T) { res, err := ctx.client.IntrospectAccessToken(context.Background(), IntrospectAccessTokenRequestObject{Body: &TokenIntrospectionRequest{Token: ""}}) - assert.ErrorIs(t, err, core.InvalidInputError("missing token")) - assert.Nil(t, res) + require.NoError(t, err) + assert.Equal(t, res, IntrospectAccessToken200JSONResponse{}) }) t.Run("error - other store error", func(t *testing.T) { // token is invalid JSON diff --git a/auth/api/iam/generated.go b/auth/api/iam/generated.go index d6360b52e..60ea89cb5 100644 --- a/auth/api/iam/generated.go +++ b/auth/api/iam/generated.go @@ -1132,14 +1132,6 @@ func (response IntrospectAccessToken200JSONResponse) VisitIntrospectAccessTokenR return json.NewEncoder(w).Encode(response) } -type IntrospectAccessToken400Response struct { -} - -func (response IntrospectAccessToken400Response) VisitIntrospectAccessTokenResponse(w http.ResponseWriter) error { - w.WriteHeader(400) - return nil -} - type IntrospectAccessToken401Response struct { } @@ -1165,14 +1157,6 @@ func (response IntrospectAccessTokenExtended200JSONResponse) VisitIntrospectAcce return json.NewEncoder(w).Encode(response) } -type IntrospectAccessTokenExtended400Response struct { -} - -func (response IntrospectAccessTokenExtended400Response) VisitIntrospectAccessTokenExtendedResponse(w http.ResponseWriter) error { - w.WriteHeader(400) - return nil -} - type IntrospectAccessTokenExtended401Response struct { } diff --git a/docs/_static/auth/v2.yaml b/docs/_static/auth/v2.yaml index fe78fc0e2..a31302e74 100644 --- a/docs/_static/auth/v2.yaml +++ b/docs/_static/auth/v2.yaml @@ -209,8 +209,6 @@ paths: application/json: schema: $ref: "#/components/schemas/TokenIntrospectionResponse" - '400': - description: No token received. Possibly due to wrong Content-Type. '401': description: | This is returned when an OAuth2 Client is unauthorized to talk to the introspection endpoint. @@ -239,8 +237,6 @@ paths: application/json: schema: $ref: "#/components/schemas/ExtendedTokenIntrospectionResponse" - '400': - description: No token received. Possibly due to wrong Content-Type. '401': description: | This is returned when an OAuth2 Client is unauthorized to talk to the introspection endpoint.