fix: Returning Valid token_type in Introspection Response

handler/oauth2/introspector.go

@@ -36,7 +36,7 @@ type CoreValidator struct {
 	DisableRefreshTokenValidation bool
 }
 
-func (c *CoreValidator) IntrospectToken(ctx context.Context, token string, tokenType fosite.TokenType, accessRequest fosite.AccessRequester, scopes []string) (fosite.TokenType, error) {
+func (c *CoreValidator) IntrospectToken(ctx context.Context, token string, tokenUse fosite.TokenUse, accessRequest fosite.AccessRequester, scopes []string) (fosite.TokenUse, error) {
 	if c.DisableRefreshTokenValidation {
 		if err := c.introspectAccessToken(ctx, token, accessRequest, scopes); err != nil {
 			return "", err
@@ -45,7 +45,7 @@ func (c *CoreValidator) IntrospectToken(ctx context.Context, token string, token
 	}
 
 	var err error
-	switch tokenType {
+	switch tokenUse {
 	case fosite.RefreshToken:
 		if err = c.introspectRefreshToken(ctx, token, accessRequest, scopes); err == nil {
 			return fosite.RefreshToken, nil

handler/oauth2/introspector_jwt.go

@@ -39,7 +39,7 @@ type StatelessJWTValidator struct {
 	ScopeStrategy fosite.ScopeStrategy
 }
 
-func (v *StatelessJWTValidator) IntrospectToken(ctx context.Context, token string, tokenType fosite.TokenType, accessRequest fosite.AccessRequester, scopes []string) (fosite.TokenType, error) {
+func (v *StatelessJWTValidator) IntrospectToken(ctx context.Context, token string, tokenUse fosite.TokenUse, accessRequest fosite.AccessRequester, scopes []string) (fosite.TokenUse, error) {
 	or, err := v.JWTAccessTokenStrategy.ValidateJWT(ctx, fosite.AccessToken, token)
 	if err != nil {
 		return "", err
@@ -56,5 +56,5 @@ func (v *StatelessJWTValidator) IntrospectToken(ctx context.Context, token strin
 	}
 
 	accessRequest.Merge(or)
-	return "", nil
+	return fosite.AccessToken, nil
 }

handler/oauth2/introspector_test.go

@@ -52,7 +52,7 @@ func TestIntrospectToken(t *testing.T) {
 		description string
 		setup       func()
 		expectErr   error
-		expectTT    fosite.TokenType
+		expectTU    fosite.TokenUse
 	}{
 		{
 			description: "should fail because no bearer token set",
@@ -99,18 +99,18 @@ func TestIntrospectToken(t *testing.T) {
 			setup: func() {
 				chgen.EXPECT().ValidateAccessToken(nil, areq, "1234").Return(nil)
 			},
-			expectTT: fosite.AccessToken,
+			expectTU: fosite.AccessToken,
 		},
 	} {
 		t.Run(fmt.Sprintf("case=%d", k), func(t *testing.T) {
 			c.setup()
-			tt, err := v.IntrospectToken(nil, fosite.AccessTokenFromRequest(httpreq), fosite.AccessToken, areq, []string{})
+			tu, err := v.IntrospectToken(nil, fosite.AccessTokenFromRequest(httpreq), fosite.AccessToken, areq, []string{})
 
 			if c.expectErr != nil {
 				require.EqualError(t, err, c.expectErr.Error())
 			} else {
 				require.NoError(t, err)
-				assert.Equal(t, c.expectTT, tt)
+				assert.Equal(t, c.expectTU, tu)
 			}
 		})
 	}

introspect.go

@@ -30,7 +30,7 @@ import (
 )
 
 type TokenIntrospector interface {
-	IntrospectToken(ctx context.Context, token string, tokenType TokenType, accessRequest AccessRequester, scopes []string) (TokenType, error)
+	IntrospectToken(ctx context.Context, token string, tokenUse TokenUse, accessRequest AccessRequester, scopes []string) (TokenUse, error)
 }
 
 func AccessTokenFromRequest(req *http.Request) string {
@@ -52,16 +52,16 @@ func AccessTokenFromRequest(req *http.Request) string {
 	return split[1]
 }
 
-func (f *Fosite) IntrospectToken(ctx context.Context, token string, tokenType TokenType, session Session, scopes ...string) (TokenType, AccessRequester, error) {
+func (f *Fosite) IntrospectToken(ctx context.Context, token string, tokenUse TokenUse, session Session, scopes ...string) (TokenUse, AccessRequester, error) {
 	var found = false
-	var foundTokenType TokenType = ""
+	var foundTokenUse TokenUse = ""
 
 	ar := NewAccessRequest(session)
 	for _, validator := range f.TokenIntrospectionHandlers {
-		tt, err := validator.IntrospectToken(ctx, token, tokenType, ar, scopes)
+		tu, err := validator.IntrospectToken(ctx, token, tokenUse, ar, scopes)
 		if err == nil {
 			found = true
-			foundTokenType = tt
+			foundTokenUse = tu
 		} else if errors.Is(err, ErrUnknownRequest) {
 			// do nothing
 		} else {
@@ -74,5 +74,5 @@ func (f *Fosite) IntrospectToken(ctx context.Context, token string, tokenType To
 		return "", nil, errors.WithStack(ErrRequestUnauthorized.WithHint("Unable to find a suitable validation strategy for the token, thus it is invalid."))
 	}
 
-	return foundTokenType, ar, nil
+	return foundTokenUse, ar, nil
 }

introspect_test.go

@@ -88,24 +88,24 @@ func TestIntrospect(t *testing.T) {
 			scopes:      []string{"foo"},
 			setup: func() {
 				f.TokenIntrospectionHandlers = TokenIntrospectionHandlers{validator}
-				validator.EXPECT().IntrospectToken(nil, "some-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(TokenType(""), ErrUnknownRequest)
+				validator.EXPECT().IntrospectToken(nil, "some-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(TokenUse(""), ErrUnknownRequest)
 			},
 			expectErr: ErrRequestUnauthorized,
 		},
 		{
 			description: "should fail",
 			scopes:      []string{"foo"},
 			setup: func() {
-				validator.EXPECT().IntrospectToken(nil, "some-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(TokenType(""), ErrInvalidClient)
+				validator.EXPECT().IntrospectToken(nil, "some-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(TokenUse(""), ErrInvalidClient)
 			},
 			expectErr: ErrInvalidClient,
 		},
 		{
 			description: "should pass",
 			setup: func() {
-				validator.EXPECT().IntrospectToken(nil, "some-token", gomock.Any(), gomock.Any(), gomock.Any()).Do(func(ctx context.Context, _ string, _ TokenType, accessRequest AccessRequester, _ []string) {
+				validator.EXPECT().IntrospectToken(nil, "some-token", gomock.Any(), gomock.Any(), gomock.Any()).Do(func(ctx context.Context, _ string, _ TokenUse, accessRequest AccessRequester, _ []string) {
 					accessRequest.(*AccessRequest).GrantedScope = []string{"bar"}
-				}).Return(TokenType(""), nil)
+				}).Return(TokenUse(""), nil)
 			},
 		},
 		{
@@ -114,7 +114,7 @@ func TestIntrospect(t *testing.T) {
 			setup: func() {
 				validator.EXPECT().IntrospectToken(nil, "some-token", gomock.Any(), gomock.Any(), gomock.Any()).Do(func(ctx context.Context, _ string, _ TokenType, accessRequest AccessRequester, _ []string) {
 					accessRequest.(*AccessRequest).GrantedScope = []string{"bar"}
-				}).Return(TokenType(""), nil)
+				}).Return(TokenUse(""), nil)
 			},
 		},
 	} {

introspection_request_handler.go

@@ -119,17 +119,17 @@ func (f *Fosite) NewIntrospectionRequest(ctx context.Context, r *http.Request, s
 	}
 
 	token := r.PostForm.Get("token")
-	tokenType := r.PostForm.Get("token_type_hint")
+	tokenTypeHint := r.PostForm.Get("token_type_hint")
 	scope := r.PostForm.Get("scope")
 	if clientToken := AccessTokenFromRequest(r); clientToken != "" {
 		if token == clientToken {
 			return &IntrospectionResponse{Active: false}, errors.WithStack(ErrRequestUnauthorized.WithHint("Bearer and introspection token are identical."))
 		}
 
-		if tt, _, err := f.IntrospectToken(ctx, clientToken, AccessToken, session.Clone()); err != nil {
+		if tu, _, err := f.IntrospectToken(ctx, clientToken, AccessToken, session.Clone()); err != nil {
 			return &IntrospectionResponse{Active: false}, errors.WithStack(ErrRequestUnauthorized.WithHint("HTTP Authorization header missing, malformed, or credentials used are invalid."))
-		} else if tt != "" && tt != AccessToken {
-			return &IntrospectionResponse{Active: false}, errors.WithStack(ErrRequestUnauthorized.WithHintf("HTTP Authorization header did not provide a token of type \"access_token\", got type \"%s\".", tt))
+		} else if tu != "" && tu != AccessToken {
+			return &IntrospectionResponse{Active: false}, errors.WithStack(ErrRequestUnauthorized.WithHintf("HTTP Authorization header did not provide a token of type \"access_token\", got type \"%s\".", tu))
 		}
 	} else {
 		id, secret, ok := r.BasicAuth()
@@ -158,22 +158,29 @@ func (f *Fosite) NewIntrospectionRequest(ctx context.Context, r *http.Request, s
 		}
 	}
 
-	tt, ar, err := f.IntrospectToken(ctx, token, TokenType(tokenType), session, RemoveEmpty(strings.Split(scope, " "))...)
+	tu, ar, err := f.IntrospectToken(ctx, token, TokenUse(tokenTypeHint), session, RemoveEmpty(strings.Split(scope, " "))...)
 	if err != nil {
 		return &IntrospectionResponse{Active: false}, errors.WithStack(ErrInactiveToken.WithHint("An introspection strategy indicated that the token is inactive.").WithCause(err).WithDebug(err.Error()))
 	}
+	accessTokenType := ""
+
+	if tu == AccessToken {
+		accessTokenType = BearerAccessToken
+	}
 
 	return &IntrospectionResponse{
 		Active:          true,
 		AccessRequester: ar,
-		TokenType:       tt,
+		TokenUse:        tu,
+		AccessTokenType: accessTokenType,
 	}, nil
 }
 
 type IntrospectionResponse struct {
 	Active          bool            `json:"active"`
 	AccessRequester AccessRequester `json:"extra"`
-	TokenType       TokenType       `json:"token_type,omitempty"`
+	TokenUse        TokenUse        `json:"token_use,omitempty"`
+	AccessTokenType string          `json:"token_type,omitempty"`
 }
 
 func (r *IntrospectionResponse) IsActive() bool {
@@ -184,6 +191,10 @@ func (r *IntrospectionResponse) GetAccessRequester() AccessRequester {
 	return r.AccessRequester
 }
 
-func (r *IntrospectionResponse) GetTokenType() TokenType {
-	return r.TokenType
+func (r *IntrospectionResponse) GetTokenUse() TokenUse {
+	return r.TokenUse
+}
+
+func (r *IntrospectionResponse) GetAccessTokenType() string {
+	return r.AccessTokenType
 }

introspection_request_handler_test.go

@@ -40,6 +40,57 @@ import (
 	"github.com/ory/fosite/storage"
 )
 
+func TestIntrospectionResponseTokenUse(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	validator := internal.NewMockTokenIntrospector(ctrl)
+	defer ctrl.Finish()
+
+	f := compose.ComposeAllEnabled(new(compose.Config), storage.NewExampleStore(), []byte{}, nil).(*Fosite)
+	httpreq := &http.Request{
+		Method: "POST",
+		Header: http.Header{
+			"Authorization": []string{"bearer some-token"},
+		},
+		PostForm: url.Values{
+			"token": []string{"introspect-token"},
+		},
+	}
+	for k, c := range []struct {
+		description string
+		setup       func()
+		expectedTU  TokenUse
+		expectedATT string
+	}{
+		{
+			description: "introspecting access token",
+			setup: func() {
+				f.TokenIntrospectionHandlers = TokenIntrospectionHandlers{validator}
+				validator.EXPECT().IntrospectToken(context.TODO(), "some-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(TokenUse(""), nil)
+				validator.EXPECT().IntrospectToken(context.TODO(), "introspect-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(AccessToken, nil)
+			},
+			expectedATT: BearerAccessToken,
+			expectedTU:  AccessToken,
+		},
+		{
+			description: "introspecting refresh token",
+			setup: func() {
+				f.TokenIntrospectionHandlers = TokenIntrospectionHandlers{validator}
+				validator.EXPECT().IntrospectToken(context.TODO(), "some-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(TokenUse(""), nil)
+				validator.EXPECT().IntrospectToken(context.TODO(), "introspect-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(RefreshToken, nil)
+			},
+			expectedATT: "",
+			expectedTU:  RefreshToken,
+		},
+	} {
+		t.Run(fmt.Sprintf("case=%d", k), func(t *testing.T) {
+			c.setup()
+			res, err := f.NewIntrospectionRequest(context.TODO(), httpreq, &DefaultSession{})
+			require.NoError(t, err)
+			assert.Equal(t, c.expectedATT, res.GetAccessTokenType())
+			assert.Equal(t, c.expectedTU, res.GetTokenUse())
+		})
+	}
+}
 func TestIntrospectionResponse(t *testing.T) {
 	r := &fosite.IntrospectionResponse{
 		AccessRequester: fosite.NewAccessRequest(nil),
@@ -88,8 +139,8 @@ func TestNewIntrospectionRequest(t *testing.T) {
 						"token": []string{"introspect-token"},
 					},
 				}
-				validator.EXPECT().IntrospectToken(context.TODO(), "some-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(TokenType(""), nil)
-				validator.EXPECT().IntrospectToken(context.TODO(), "introspect-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(TokenType(""), newErr)
+				validator.EXPECT().IntrospectToken(context.TODO(), "some-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(TokenUse(""), nil)
+				validator.EXPECT().IntrospectToken(context.TODO(), "introspect-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(TokenUse(""), newErr)
 			},
 			isActive:  false,
 			expectErr: ErrInactiveToken,
@@ -107,8 +158,8 @@ func TestNewIntrospectionRequest(t *testing.T) {
 						"token": []string{"introspect-token"},
 					},
 				}
-				validator.EXPECT().IntrospectToken(context.TODO(), "some-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(TokenType(""), nil)
-				validator.EXPECT().IntrospectToken(context.TODO(), "introspect-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(TokenType(""), nil)
+				validator.EXPECT().IntrospectToken(context.TODO(), "some-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(TokenUse(""), nil)
+				validator.EXPECT().IntrospectToken(context.TODO(), "introspect-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(TokenUse(""), nil)
 			},
 			isActive: true,
 		},
@@ -126,7 +177,7 @@ func TestNewIntrospectionRequest(t *testing.T) {
 						"token": []string{"introspect-token"},
 					},
 				}
-				validator.EXPECT().IntrospectToken(context.TODO(), "introspect-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(TokenType(""), nil)
+				validator.EXPECT().IntrospectToken(context.TODO(), "introspect-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(TokenUse(""), nil)
 			},
 			isActive: true,
 		},
@@ -144,7 +195,7 @@ func TestNewIntrospectionRequest(t *testing.T) {
 						"token": []string{"introspect-token"},
 					},
 				}
-				validator.EXPECT().IntrospectToken(context.TODO(), "introspect-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(TokenType(""), nil)
+				validator.EXPECT().IntrospectToken(context.TODO(), "introspect-token", gomock.Any(), gomock.Any(), gomock.Any()).Return(TokenUse(""), nil)
 			},
 			isActive: true,
 		},

introspection_response_writer_test.go

@@ -82,9 +82,9 @@ func TestWriteIntrospectionResponseBody(t *testing.T) {
 			description: "should success for not expired access token",
 			setup: func() {
 				ires.Active = true
-				ires.TokenType = AccessToken
+				ires.TokenUse = AccessToken
 				sess := &DefaultSession{}
-				sess.SetExpiresAt(ires.TokenType, time.Now().Add(time.Hour*2))
+				sess.SetExpiresAt(ires.TokenUse, time.Now().Add(time.Hour*2))
 				ires.AccessRequester = NewAccessRequest(sess)
 			},
 			active: true,
@@ -94,9 +94,9 @@ func TestWriteIntrospectionResponseBody(t *testing.T) {
 			description: "should success for expired access token",
 			setup: func() {
 				ires.Active = false
-				ires.TokenType = AccessToken
+				ires.TokenUse = AccessToken
 				sess := &DefaultSession{}
-				sess.SetExpiresAt(ires.TokenType, time.Now().Add(-time.Hour*2))
+				sess.SetExpiresAt(ires.TokenUse, time.Now().Add(-time.Hour*2))
 				ires.AccessRequester = NewAccessRequest(sess)
 			},
 			active: false,
@@ -106,9 +106,9 @@ func TestWriteIntrospectionResponseBody(t *testing.T) {
 			description: "should success for ExpiresAt not set access token",
 			setup: func() {
 				ires.Active = true
-				ires.TokenType = AccessToken
+				ires.TokenUse = AccessToken
 				sess := &DefaultSession{}
-				sess.SetExpiresAt(ires.TokenType, time.Time{})
+				sess.SetExpiresAt(ires.TokenUse, time.Time{})
 				ires.AccessRequester = NewAccessRequest(sess)
 			},
 			active: true,

oauth2.go

@@ -28,13 +28,18 @@ import (
 	"time"
 )
 
+type TokenUse = TokenType
+
+//type TokenUse string
 type TokenType string
 
 const (
 	AccessToken   TokenType = "access_token"
 	RefreshToken  TokenType = "refresh_token"
 	AuthorizeCode TokenType = "authorize_code"
 	IDToken       TokenType = "id_token"
+
+	BearerAccessToken string = "bearer"
 )
 
 // OAuth2Provider is an interface that enables you to write OAuth2 handlers with only a few lines of code.
@@ -143,7 +148,7 @@ type OAuth2Provider interface {
 
 	// IntrospectToken returns token metadata, if the token is valid. Tokens generated by the authorization endpoint,
 	// such as the authorization code, can not be introspected.
-	IntrospectToken(ctx context.Context, token string, tokenType TokenType, session Session, scope ...string) (TokenType, AccessRequester, error)
+	IntrospectToken(ctx context.Context, token string, tokenUse TokenUse, session Session, scope ...string) (TokenUse, AccessRequester, error)
 
 	// NewIntrospectionRequest initiates token introspection as defined in
 	// https://tools.ietf.org/search/rfc7662#section-2.1
@@ -168,9 +173,13 @@ type IntrospectionResponder interface {
 	// AccessRequester returns nil when IsActive() is false and the original access request object otherwise.
 	GetAccessRequester() AccessRequester
 
-	// GetTokenType optionally returns the type of the token that was introspected. The could be "access_token", "refresh_token",
+	// GetTokenUse optionally returns the type of the token that was introspected. This could be "access_token", "refresh_token",
 	// or if the type can not be determined an empty string.
-	GetTokenType() TokenType
+	GetTokenUse() TokenUse
+
+	//GetAccessTokenType optionally returns the type of the access token that was introspected. This could be "bearer", "mac",
+	// or empty string if the type of the token is refresh token.
+	GetAccessTokenType() string
 }
 
 // Requester is an abstract interface for handling requests in Fosite.