headless_lms_server::controllers::main_frontend::oauth::introspect

Function introspect

Source 
pub async fn introspect(
    pool: Data<PgPool>,
    __arg1: OAuthValidated<IntrospectQuery>,
    app_conf: Data<ApplicationConfiguration>,
) -> ControllerResult<HttpResponse>
Expand description

Handles the /introspect endpoint for OAuth 2.0 token introspection (RFC 7662).

This endpoint allows resource servers to query the authorization server about the active state and metadata of an access token.

§Security Features

  • Client authentication is required (client_id and client_secret for confidential clients)
  • Returns active: false for invalid/expired tokens or authentication failures to prevent token enumeration attacks
  • Always returns 200 OK, even for invalid tokens (per RFC 7662)

§Request Parameters

  • token (required): The token to be introspected
  • token_type_hint (optional): Hint about token type (“access_token” or “refresh_token”)
  • client_id (required): Client identifier
  • client_secret (required for confidential clients): Client secret

§Response

Returns a JSON object with:

  • active (bool, required): Whether the token is active
  • Additional fields only present if active: true:
    • scope: Space-separated list of scopes
    • client_id: Client identifier
    • username/sub: User identifier (if token has user)
    • exp: Expiration timestamp (Unix time)
    • iat: Issued at timestamp (Unix time)
    • aud: Audience
    • iss: Issuer
    • jti: JWT ID
    • token_type: “Bearer” or “DPoP”

Follows RFC 7662 — OAuth 2.0 Token Introspection.

§Example

POST /api/v0/main-frontend/oauth/introspect HTTP/1.1
Content-Type: application/x-www-form-urlencoded

token=ACCESS_TOKEN&client_id=test-client-id&client_secret=test-secret

Successful response:

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store

{
  "active": true,
  "scope": "openid profile email",
  "client_id": "test-client-id",
  "sub": "550e8400-e29b-41d4-a716-446655440000",
  "username": "550e8400-e29b-41d4-a716-446655440000",
  "exp": 1735689600,
  "iat": 1735686000,
  "iss": "https://example.com/api/v0/main-frontend/oauth",
  "jti": "123e4567-e89b-12d3-a456-426614174000",
  "token_type": "Bearer"
}

Inactive token response:

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store

{
  "active": false
}