FI-2254 Implement token introspection

[arscan]

Summary

Adds token introspection capabilities per openid token introspection standard

Testing guidance

I recommend that @alisawallace verifies the token introspection stuff, and that @Jammjammjamm or @dehall just does a quick check to make sure that I didn't mess up any of the other stuff. g10 tests seem to pass still when i run this (and running g10 helped me identify a problem with the capstatement).

For testing against the new token introspection tests: I recommend:

• cloning this repository
• running docker-compose up --build. Note, the first time, the db may be slow to launch because it is loading data, and you'll see an issue in the console and the site won't load. Kill the container and rerun docker-compose up, as the faster start to the db after it has been initialized should let the web server load
• confirm that http://localhost:8080/reference-server works and that there is a bullet stating support for 'Token Introspection'
• visit http://localhost:8080/reference-server/r4/.well-known/smart-configuration and there should be a URL for introspection_endpoint' (http://localhost:8080/reference-server/oauth/token/introspect)
  *optiona: POST to this endpoint with no auth headers (I haven't added authorization here), and a body of token=ABC, and it should return json to the effect of {'active': false}

In the smart app launch test kit, assuming a 'ruby development setup', do the following:

• remove from .env and .env.development the COMPOSE_PROFILES=keycloak line -- i was having a little bit of trouble with this interferring with the reference server when running it at the same time, so lets just not start keycloak any more.
• inferno services start to start the background services (db, redis, etc)
• inferno start to start the application
• visit http://localhost:4567
• select STU2 of the smart app launch
• select 'Inferno Reference Server' preset
• Run 'standalone launch' tests
• change endpoint to http://localhost:8080/reference-server/r4
• click through and the tests should pass, except for TLS
• In test 1.1.01 (discovery), take a look at the output tab and grab the token introspection url from there (will be http://localhost:8080/reference-server/oauth/token/introspect)
• run the token introspection test
• appropriately split up the URL so that the current inputs work (note how we will want a single introspection url input insteead of having them split up in two inputs later)
• select the 'standalone test' to get the bearer token from
• turn off 'include scope' thing for keycloak on the bottom
• run the group tests
• You'll get blocked by the fact that the token is not a JWK, which is not a valid requirement as we had discussed
• Remove a bunch of code in that test so that it really just verifying that the POST returns 'active = true'
• restart the inferno tests, it should now pass

This should allow us to pivot over to a more realistic test scenario where we aren't spread across two different auth servers in the test kit.

[alisawallace]

@arscan confirming that this implementation is working with the instructions you provided. Thanks for getting this set up!

[dehall]

Looked through the code and I don't have any real concerns, just a couple trivial notes. I want to run through the g10 test kit with this myself tomorrow though

[dehall]

Not sure if this is really better but you could leverage the java time libraries to do the time math:

      customBearerToken.setExp(Instant.now().plus(4, ChronoUnit.MONTHS).getEpochSecond());

[dehall]

Reading up a little on the token introspection endpoint, this seems fine to me. I'm not sure even logging the exception is that necessary.

[alisawallace]

Works well for me! I tested it with both a public client ID and a confidential client ID and secret, everything (except TLS tests of course) passed and ref server output looks good.

[alisawallace]

The Token Introspection Endpoint URL is not listed here but may be worth including. I know it's not strictly necessary since it's included as part of the .well-known endpoints, but including it would allow someone to run only group 3 Token Introspection without first having to run Group 1 to get the endpoint. Ultimately up to you though!