Check internal ACL during token introspection

2026-02-19 17:49:13 +01:00
parent c801202642
commit 9d03eb2643
1 changed files with 22 additions and 1 deletions
--- a/src/oidcserver.js
+++ b/src/oidcserver.js
@@ -645,7 +645,28 @@ async function start() {
        features: {
            rpInitiatedLogout: { enabled: false },
            jwtIntrospection: { enabled: true },
-            introspection: { enabled: true },
+            introspection: {
+                enabled: true,
+                allowedPolicy: async function (ctx, client, token) {
+                    // first default check of the module to ensure this is a valid client with auth
+                    if (client.clientAuthMethod === 'none' && token.clientId !== ctx.oidc.client.clientId) return false;
+
+                    const internalClient = await oidcClients.get(token.clientId);
+                    if (!internalClient) return false;
+
+                    // check if we have an app, if so we have to check access
+                    const internalApp = internalClient.appId ? await apps.get(internalClient.appId) : null;
+                    if (internalApp) {
+                        const user = await users.getByUsername(token.accountId);
+                        return apps.canAccess(app, user);
+                    }
+
+                    // unknown app
+                    if (internalClient.appId) return false;
+
+                    return true;
+                }
+            },
            devInteractions: { enabled: false }
        },
        clientDefaults: {