Description
Steps to reproduce
Our ResourceServer is a separate application from the AuthorizationServer, so we can't modify our controllers to invoke doorkeeper_authorize!. Instead, we call token/introspect on provided tokens. The RS is itself a client application; it uses client_credentials and has a special introspect scope to allow it to examine tokens issued by any other client. We noticed that revoke-on-use does not happen as it would if we could use the provided doorkeeper_authorize! action helper.
Expected behavior
Calling token/introspect on a token should have the same behavior as doorkeeper_authorize! has on it.
Actual behavior
The tokens aren't revoked, and we don't know what's the appropriate path to create portable behavior that is identical to doorkeeper_authorize!
System configuration
Here's a diff that adds a new example for the TokensController
diff --git a/spec/controllers/tokens_controller_spec.rb b/spec/controllers/tokens_controller_spec.rb
index de0088b6..eb55fb1f 100644
--- a/spec/controllers/tokens_controller_spec.rb
+++ b/spec/controllers/tokens_controller_spec.rb
@@ -496,6 +496,18 @@ RSpec.describe Doorkeeper::TokensController, type: :controller do
)
end
+ it "revokes the previous refresh_token of the token being introspected" do
+ previous_token = FactoryBot.create(:access_token, refresh_token: "refresh_token")
+ token_for_introspection.previous_refresh_token = previous_token.refresh_token
+ token_for_introspection.save!
+
+ request.headers["Authorization"] = "Bearer #{access_token.token}"
+
+ post :introspect, params: { token: token_for_introspection.token }
+
+ expect(previous_token.reload).to be_revoked
+ end
+
it "responds with invalid_token error if authorized token doesn't have introspection scope" do
access_token.update(scopes: "read write")