authentik/internal/outpost/proxyv2/application/auth_bearer.go

package application

import (
	"encoding/json"
	"net/http"
	"net/url"
	"strings"
)

func (a *Application) checkAuthHeaderBearer(r *http.Request) string {
	auth := r.Header.Get(HeaderAuthorization)
	if auth == "" {
		return ""
	}
	if len(auth) < len(AuthBearer) || !strings.EqualFold(auth[:len(AuthBearer)], AuthBearer) {
		return ""
	}
	return auth[len(AuthBearer):]
}

type TokenIntrospectionResponse struct {
	Claims
	Scope    string `json:"scope"`
	Active   bool   `json:"active"`
	ClientID string `json:"client_id"`
}

func (a *Application) attemptBearerAuth(r *http.Request, token string) *TokenIntrospectionResponse {
	values := url.Values{
		"client_id":     []string{a.oauthConfig.ClientID},
		"client_secret": []string{a.oauthConfig.ClientSecret},
		"token":         []string{token},
	}
	req, err := http.NewRequest("POST", a.endpoint.TokenIntrospection, strings.NewReader(values.Encode()))
	if err != nil {
		a.log.WithError(err).Warning("failed to create introspection request")
		return nil
	}
	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
	res, err := a.httpClient.Do(req)
	if err != nil || res.StatusCode > 200 {
		a.log.WithError(err).Warning("failed to send introspection request")
		return nil
	}
	intro := TokenIntrospectionResponse{}
	err = json.NewDecoder(res.Body).Decode(&intro)
	if err != nil {
		a.log.WithError(err).Warning("failed to parse introspection response")
		return nil
	}
	if !intro.Active {
		a.log.Warning("token is not active")
		return nil
	}
	if !strings.Contains(intro.Scope, "openid") || !strings.Contains(intro.Scope, "profile") {
		a.log.Error("token missing openid or profile scope")
		return nil
	}
	intro.RawToken = token
	a.log.Trace("successfully introspected bearer token")
	return &intro
}