From 9d03eb2643b377d3bb486d1a5bc3533be9540b31 Mon Sep 17 00:00:00 2001
From: Johannes Zellner <johannes@cloudron.io>
Date: Thu, 19 Feb 2026 17:49:13 +0100
Subject: [PATCH] Check internal ACL during token introspection

---
 src/oidcserver.js | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/oidcserver.js b/src/oidcserver.js
index 73bfb57ef..f19e9f007 100644
--- a/src/oidcserver.js
+++ b/src/oidcserver.js
@@ -645,7 +645,28 @@ async function start() {
         features: {
             rpInitiatedLogout: { enabled: false },
             jwtIntrospection: { enabled: true },
-            introspection: { enabled: true },
+            introspection: {
+                enabled: true,
+                allowedPolicy: async function (ctx, client, token) {
+                    // first default check of the module to ensure this is a valid client with auth
+                    if (client.clientAuthMethod === 'none' && token.clientId !== ctx.oidc.client.clientId) return false;
+
+                    const internalClient = await oidcClients.get(token.clientId);
+                    if (!internalClient) return false;
+
+                    // check if we have an app, if so we have to check access
+                    const internalApp = internalClient.appId ? await apps.get(internalClient.appId) : null;
+                    if (internalApp) {
+                        const user = await users.getByUsername(token.accountId);
+                        return apps.canAccess(app, user);
+                    }
+
+                    // unknown app
+                    if (internalClient.appId) return false;
+
+                    return true;
+                }
+            },
             devInteractions: { enabled: false }
         },
         clientDefaults: {