Skip to content

feat: OAuth 2.0 Token Introspection (RFC 7662, RFC 9701)#2

Open
Kunde21 wants to merge 16 commits into
masterfrom
feat/token-introspection
Open

feat: OAuth 2.0 Token Introspection (RFC 7662, RFC 9701)#2
Kunde21 wants to merge 16 commits into
masterfrom
feat/token-introspection

Conversation

@Kunde21

@Kunde21 Kunde21 commented May 20, 2026

Copy link
Copy Markdown
Owner

Summary

  • Add Introspector client for resource-server style token introspection via NewIntrospector()
  • Add RP.IntrospectToken() for introspection from existing RP instances
  • Support all client authentication methods (basic, post, private_key_jwt, client_secret_jwt, TLS, self_signed_tls, none) with introspection-specific auth method resolution
  • Implement RFC 9701 signed JWT introspection response verification (signature, typ, iss, aud, iat, algorithm enforcement)
  • Add introspection metadata fields to AuthorizationServer with provider merge support
  • Support DPoP proof attachment, nonce retry, mTLS endpoint aliases, and auth method fallback

Test Plan

  • 37 introspection tests covering all auth methods, JWT response validation, RP entrypoint, error paths
  • go test ./... passes clean
  • gofumpt -w . and go vet ./... clean
  • Public API compile test in external test package

Kunde21 and others added 16 commits May 5, 2026 23:12
@Kunde21
feat: add resource indicator validation
d6e5b08 
Add normalizeResources and addResourceParameters helpers for RFC 8707
resource indicator support. normalizeResources trims whitespace, rejects
empty values, requires absolute URIs, and rejects fragments.
@Kunde21
feat: add resource indicator configuration options
decf57a 
Add WithResources Option for default resource indicators, SetResources
AuthorizationURLOption for per-request overrides, and WithTokenResources
context helper for per-request token overrides. Add optionErrors to
clientConfig for deferred validation, checked in both New and
NewClientCredentials constructors.
@Kunde21
feat: add resources to authorization and token exchange flows
cfef6d6 
Authorization URLs include repeated resource parameters. Resources are
preserved in signed request objects (JAR), PAR, and RP-hosted request_uri
flows. Callback correlation persists resources through the state store and
sends them during authorization-code token exchange.
@Kunde21
feat: add resources to refresh token requests
819a13d 
RefreshToken sends configured default resources. WithTokenResources
overrides resources per-request via context.
@Kunde21
feat: add resources to client credentials requests
0431b89 
ClientCredentials.Token sends configured default resources.
WithTokenResources overrides resources per-request via context.
Invalid context resources return errors before calling the endpoint.
@Kunde21
docs: document resource indicators (RFC 8707)
90a8e0c 
Add Resource Indicators section to package doc, RFC 8707 capability to
README, and example test for WithResources with client credentials.
@Kunde21
feat: add introspection metadata fields
a696a18 
Add RFC 9701 introspection signing/encryption algorithm metadata
fields to AuthorizationServer and extend mergeProvider to merge
introspection endpoint configuration.
@Kunde21
feat: add introspection response types
30425ea 
Add IntrospectionRequest, IntrospectionResponse with raw payload
preservation, TokenTypeHint constants, ErrIntrospectionFailed sentinel,
and Introspector struct stub.
@Kunde21
feat: add introspection client construction
02c463c 
Add NewIntrospector constructor with endpoint-specific auth method
resolution. Extract selectAuthMethodFromSupported from
resolveAuthMethodFromProvider for reuse. Add introspectionEndpoint
helper with mTLS alias support.
@Kunde21
feat: send token introspection requests
dcb1df1 
Add Introspector.IntrospectToken and RP.IntrospectToken methods with
client_secret_basic, client_secret_post, private_key_jwt,
client_secret_jwt, TLS, and none auth method support. Includes DPoP
retry, auth method fallback, and extracted buildClientSecretJWTAssertion
shared helper.
@Kunde21
feat: support authenticated introspection endpoints
84edfb1 
Add tests and implementation for private_key_jwt, client_secret_jwt,
none, self_signed_tls_client_auth, auth method fallback (post to
basic), DPoP proof attachment, and DPoP nonce retry.
@Kunde21
feat: verify JWT introspection responses (RFC 9701)
f5ab62b 
Add JWT introspection response validation with signature verification,
typ/iss/aud/iat claims checking, algorithm enforcement from provider
metadata, encrypted JWT rejection, and none algorithm rejection.
Fix doJSONStatus to preserve custom Accept headers.
@Kunde21
docs: add RP entrypoint coverage and public docs for introspection
2dad08b 
Add RP.IntrospectToken tests for credentials, introspection-specific
auth methods, error paths. Add introspectionAuthMethod() to resolve
introspection endpoint auth independently from token endpoint. Add
public API compile test. Update package docs and README.
@Kunde21
chore: finalize introspection formatting
28a14d7
@Kunde21
fix: introspection DPoP decision uses introspection auth method
237bf46 
Use shouldUseDPoPForMethod(method) instead of shouldUseDPoP() so
that DPoP is correctly enabled when the introspection endpoint uses
a different auth method than the token endpoint. Also removes dead
code in introspectionAuthMethod and renames isJWTContentType to
looksLikeJWT for clarity.
@Kunde21
Merge branch 'master' into feat/token-introspection
fe730cb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Kunde21