Why introspection_endpoint parameter not use discovered data？

[liqiangno1]

Environment

• lua-resty-openidc version (e.g. 1.7.0)

Expected behaviour

The introspection_endpoint can be find in discovered data，and why does not this parameter use discovered data?

Actual behaviour

I need pass this parameter.

Minimized example

 -- call the introspection endpoint
  json, err = openidc.call_token_endpoint(opts, opts.introspection_endpoint, body, opts.introspection_endpoint_auth_method, "introspection")

Configuration and NGINX server log files

Config and logs for the minimized example, possibly provided as attachments.

[bodewig]

Unfortunately the introspection endpoint is not part of the standard discovery document, see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

It is part of RFC 8414 which would use a different URI and is not a superset of OIDC discovery.

We probably could try to see whether our discovery data contains introspection_endpoint and probably also introspection_endpoint_auth_methods_supported keys and use them if no explicit endpoint URI has been given.

[liqiangno1]

Ok, I See. Thanks for your explanation!

[zandbelt]

Agree, it would make sense to start supporting RFC 8414 and do it in the way @bodewig describes.

[bodewig]

cdaf824 adds discovery as a fallback when opts.introspection_endpoint has not been set.

introspection_endpoint_auth_methods_supported is a bit more complex and I stopped adding it when I realized our introspection request will always use client_secret_post as it adds the client_id and client_secret claims to the body unconditionally. It may - in addition - use one of the other three auth methods we currently support based on opts.introspection_endpoint_auth_method. I am afraid we break something if we remove the "always use client_secret_post" logic.