[plugin/openid-connect] Consider Adding Introspection to Tokens stored in Session

[james-mchugh]

A common application security STIG is to automatically terminate sessions upon account deletion. A typical way of implementing this is to utilize token introspection to see if a user's token is still active whenever a request is sent (possibly with some TTL cache in place).

This currently works fine for bearer only authentication, but it does not work for the relying party flow. Even with introspection configured with a low introspection_interval (5 seconds for example), a deleted user's session in Apisix will not end until the token expires and has to be refreshed.

Looking at the lua-rest-openidc plugin, the openidc.authenticate method for the relying party flow returns the access token. It should be possible to pass this back to the openidc.introspect to introspect it if introspection is enabled. This would allow tokens stored in the session to also benefit from token introspection.

[brentmjohnson]

as a dirty solution, this seems to work here: https://github.com/apache/apisix/blob/1a45d1da896d22048b08b1bdc1218a84468a98a2/apisix/plugins/openid-connect.lua#L587C9-L587C25

        if response then

            if conf.introspection_endpoint then
                core.log.debug("Starting introspection of access token")

                local existing_auth_header = core.request.header(ctx, "Authorization")
                if not existing_auth_header then
                    core.request.add_header(ctx, "Authorization", "Bearer " .. response.access_token)
                end

                local _, err = openidc.introspect(conf)
                
                if not existing_auth_header then
                    ngx.req.clear_header("Authorization")
                end

                if err then
                    if err == "invalid token" then
                        if session then session:destroy() end

                        if conf.unauth_action == "pass" then
                            return nil
                        end

                        response, err, _, session  = openidc.authenticate(conf, nil, unauth_action, conf)
                        if err then
                            if err == "unauthorized request" then
                                if conf.unauth_action == "pass" then
                                    return nil
                                end
                                return 401
                            end
                            core.log.error("OIDC authentication failed: ", err)
                            return 500
                        end
                    else
                        core.log.error("OIDC introspection failed: ", err)
                        return 500
                    end
                end
            end

[brentmjohnson]

got around to testing this with introspection_interval: 5 and distributed tracing: