diff --git a/introspection_response_writer.go b/introspection_response_writer.go index 7e136a75..13813f82 100644 --- a/introspection_response_writer.go +++ b/introspection_response_writer.go @@ -194,40 +194,43 @@ func (f *Fosite) WriteIntrospectionResponse(ctx context.Context, rw http.Respons "active": true, } - extraClaimsSession, ok := r.GetAccessRequester().GetSession().(ExtraClaimsSession) - if ok { - extraClaims := extraClaimsSession.GetExtraClaims() - for name, value := range extraClaims { - switch name { - // We do not allow these to be set through extra claims. - case "exp", "client_id", "scope", "iat", "sub", "aud", "username": - continue - default: - response[name] = value - } - } - } - - if !r.GetAccessRequester().GetSession().GetExpiresAt(AccessToken).IsZero() { - response["exp"] = r.GetAccessRequester().GetSession().GetExpiresAt(AccessToken).Unix() - } - if r.GetAccessRequester().GetClient().GetID() != "" { - response["client_id"] = r.GetAccessRequester().GetClient().GetID() - } - if len(r.GetAccessRequester().GetGrantedScopes()) > 0 { - response["scope"] = strings.Join(r.GetAccessRequester().GetGrantedScopes(), " ") + if !r.GetAccessRequester().GetSession().GetExpiresAt(r.GetTokenUse()).IsZero() { + response["exp"] = r.GetAccessRequester().GetSession().GetExpiresAt(r.GetTokenUse()).Unix() } if !r.GetAccessRequester().GetRequestedAt().IsZero() { response["iat"] = r.GetAccessRequester().GetRequestedAt().Unix() } - if r.GetAccessRequester().GetSession().GetSubject() != "" { - response["sub"] = r.GetAccessRequester().GetSession().GetSubject() - } - if len(r.GetAccessRequester().GetGrantedAudience()) > 0 { - response["aud"] = r.GetAccessRequester().GetGrantedAudience() + if r.GetAccessRequester().GetClient().GetID() != "" { + response["client_id"] = r.GetAccessRequester().GetClient().GetID() } - if r.GetAccessRequester().GetSession().GetUsername() != "" { - response["username"] = r.GetAccessRequester().GetSession().GetUsername() + + if r.GetTokenUse() == AccessToken { + extraClaimsSession, ok := r.GetAccessRequester().GetSession().(ExtraClaimsSession) + if ok { + extraClaims := extraClaimsSession.GetExtraClaims() + for name, value := range extraClaims { + switch name { + // We do not allow these to be set through extra claims. + case "exp", "client_id", "scope", "iat", "sub", "aud", "username": + continue + default: + response[name] = value + } + } + } + + if len(r.GetAccessRequester().GetGrantedScopes()) > 0 { + response["scope"] = strings.Join(r.GetAccessRequester().GetGrantedScopes(), " ") + } + if r.GetAccessRequester().GetSession().GetSubject() != "" { + response["sub"] = r.GetAccessRequester().GetSession().GetSubject() + } + if len(r.GetAccessRequester().GetGrantedAudience()) > 0 { + response["aud"] = r.GetAccessRequester().GetGrantedAudience() + } + if r.GetAccessRequester().GetSession().GetUsername() != "" { + response["username"] = r.GetAccessRequester().GetSession().GetUsername() + } } _ = json.NewEncoder(rw).Encode(response) diff --git a/introspection_response_writer_test.go b/introspection_response_writer_test.go index 431dd4e8..d36b5fcf 100644 --- a/introspection_response_writer_test.go +++ b/introspection_response_writer_test.go @@ -128,6 +128,21 @@ func TestWriteIntrospectionResponseBody(t *testing.T) { hasExp: false, hasExtra: true, }, + { + description: "should work with refresh token", + setup: func() { + ires.Active = true + ires.TokenUse = RefreshToken + sess := &DefaultSession{} + // Extra claims should not be exposed for refresh tokens. + sess.GetExtraClaims()["extra"] = "foobar" + sess.SetExpiresAt(ires.TokenUse, time.Now().Add(-time.Hour*2)) + ires.AccessRequester = NewAccessRequest(sess) + }, + active: true, + hasExp: true, + hasExtra: false, + }, } { t.Run(c.description, func(t *testing.T) { c.setup()