Provide revoke and introspection methods to AccessTokenProvider

Signed-off-by: Matheus Cruz <matheuscruz.dev@gmail.com>

Author: mcruzdev

.gitignore

@@ -32,4 +32,7 @@ build/
 .vscode/
 
 # Bob-Shell
-.bob/notes/
+.bob/notes/
+
+
+impl/test/*/**.db

impl/core/src/main/java/io/serverlessworkflow/impl/auth/AccessTokenProvider.java

@@ -21,4 +21,45 @@
 
 public interface AccessTokenProvider {
   JWT validateAndGet(WorkflowContext workflow, TaskContext context, WorkflowModel model);
+
+  /**
+   * Introspects the given token against the configured introspection endpoint, as defined by <a
+   * href="https://www.rfc-editor.org/rfc/rfc7662">RFC 7662</a>.
+   *
+   * <p>This is an optional capability. The default implementation throws {@link
+   * UnsupportedOperationException}; providers backed by an introspection-capable OIDC client should
+   * override it.
+   *
+   * @param tokenTypeHint optional {@code token_type_hint} (e.g. {@code access_token}), may be
+   *     {@code null}
+   */
+  default TokenIntrospection introspect(
+      WorkflowContext workflow,
+      TaskContext context,
+      WorkflowModel model,
+      String token,
+      String tokenTypeHint) {
+    throw new UnsupportedOperationException(
+        "Token introspection is not supported by this provider");
+  }
+
+  /**
+   * Revokes the given token against the configured revocation endpoint, as defined by <a
+   * href="https://www.rfc-editor.org/rfc/rfc7009">RFC 7009</a>.
+   *
+   * <p>This is an optional capability. The default implementation throws {@link
+   * UnsupportedOperationException}; providers backed by a revocation-capable OIDC client should
+   * override it.
+   *
+   * @param tokenTypeHint optional {@code token_type_hint} (e.g. {@code access_token}, {@code
+   *     refresh_token}), may be {@code null}
+   */
+  default void revoke(
+      WorkflowContext workflow,
+      TaskContext context,
+      WorkflowModel model,
+      String token,
+      String tokenTypeHint) {
+    throw new UnsupportedOperationException("Token revocation is not supported by this provider");
+  }
 }

impl/core/src/main/java/io/serverlessworkflow/impl/auth/ClientSecretPost.java

@@ -38,10 +38,10 @@ protected ClientSecretPost(
   protected void clientCredentials(OAuth2AuthenticationData authenticationData) {
     requestBuilder
         .withGrantType(authenticationData.getGrant().value())
-        .addQueryParam(
+        .addClientAuthParam(
             "client_id",
             WorkflowUtils.buildStringFilter(application, authenticationData.getClient().getId()))
-        .addQueryParam(
+        .addClientAuthParam(
             "client_secret",
             WorkflowUtils.buildStringFilter(
                 application, authenticationData.getClient().getSecret()));
@@ -64,8 +64,8 @@ protected void clientCredentials(Map<String, Object> secret) {
     Map<String, Object> client = (Map<String, Object>) secret.get(CLIENT);
     requestBuilder
         .withGrantType((String) secret.get(GRANT))
-        .addQueryParam("client_id", (String) client.get(ID))
-        .addQueryParam("client_secret", (String) client.get(SECRET));
+        .addClientAuthParam("client_id", (String) client.get(ID))
+        .addClientAuthParam("client_secret", (String) client.get(SECRET));
   }
 
   @Override

impl/core/src/main/java/io/serverlessworkflow/impl/auth/HttpRequestInfo.java

@@ -18,12 +18,14 @@
 import io.serverlessworkflow.impl.WorkflowValueResolver;
 import java.net.URI;
 import java.util.Map;
+import java.util.Optional;
 
 public record HttpRequestInfo(
     Map<String, WorkflowValueResolver<String>> headers,
     Map<String, WorkflowValueResolver<String>> queryParams,
+    Map<String, WorkflowValueResolver<String>> clientAuthParams,
     WorkflowValueResolver<URI> uri,
-    WorkflowValueResolver<URI> revocationUri,
-    WorkflowValueResolver<URI> introspectionUri,
+    Optional<WorkflowValueResolver<URI>> revocationUri,
+    Optional<WorkflowValueResolver<URI>> introspectionUri,
     String grantType,
     String contentType) {}

impl/core/src/main/java/io/serverlessworkflow/impl/auth/HttpRequestInfoBuilder.java

@@ -23,18 +23,21 @@
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Objects;
+import java.util.Optional;
 
 class HttpRequestInfoBuilder {
 
   private Map<String, WorkflowValueResolver<String>> headers;
 
   private Map<String, WorkflowValueResolver<String>> queryParams;
 
+  private Map<String, WorkflowValueResolver<String>> clientAuthParams;
+
   private WorkflowValueResolver<URI> uri;
 
-  private WorkflowValueResolver<URI> revocationUri;
+  private Optional<WorkflowValueResolver<URI>> revocationUri = Optional.empty();
 
-  private WorkflowValueResolver<URI> introspectionUri;
+  private Optional<WorkflowValueResolver<URI>> introspectionUri = Optional.empty();
 
   private String grantType;
 
@@ -43,6 +46,7 @@ class HttpRequestInfoBuilder {
   HttpRequestInfoBuilder() {
     headers = new HashMap<>();
     queryParams = new HashMap<>();
+    clientAuthParams = new HashMap<>();
   }
 
   HttpRequestInfoBuilder addHeader(String key, String token) {
@@ -65,17 +69,28 @@ HttpRequestInfoBuilder addQueryParam(String key, WorkflowValueResolver<String> t
     return this;
   }
 
+  HttpRequestInfoBuilder addClientAuthParam(String key, String token) {
+    clientAuthParams.put(key, (w, t, m) -> token);
+    return this;
+  }
+
+  HttpRequestInfoBuilder addClientAuthParam(String key, WorkflowValueResolver<String> token) {
+    clientAuthParams.put(key, token);
+    return this;
+  }
+
   HttpRequestInfoBuilder withUri(WorkflowValueResolver<URI> uri) {
     this.uri = uri;
     return this;
   }
 
-  HttpRequestInfoBuilder withRevocationUri(WorkflowValueResolver<URI> revocationUri) {
+  HttpRequestInfoBuilder withRevocationUri(Optional<WorkflowValueResolver<URI>> revocationUri) {
     this.revocationUri = revocationUri;
     return this;
   }
 
-  HttpRequestInfoBuilder withIntrospectionUri(WorkflowValueResolver<URI> introspectionUri) {
+  HttpRequestInfoBuilder withIntrospectionUri(
+      Optional<WorkflowValueResolver<URI>> introspectionUri) {
     this.introspectionUri = introspectionUri;
     return this;
   }
@@ -106,6 +121,13 @@ HttpRequestInfo build() {
       contentType = APPLICATION_X_WWW_FORM_URLENCODED.value();
     }
     return new HttpRequestInfo(
-        headers, queryParams, uri, revocationUri, introspectionUri, grantType, contentType);
+        headers,
+        queryParams,
+        clientAuthParams,
+        uri,
+        revocationUri,
+        introspectionUri,
+        grantType,
+        contentType);
   }
 }

impl/core/src/main/java/io/serverlessworkflow/impl/auth/JwtClientAssertion.java

@@ -115,12 +115,13 @@ protected void password(Map<String, Object> secret) {
 
   private void addAssertion(String clientId, String assertion) {
     if (clientId != null) {
-      requestBuilder.addQueryParam(
+      requestBuilder.addClientAuthParam(
           CLIENT_ID, WorkflowUtils.buildStringFilter(application, clientId));
     }
     requestBuilder
-        .addQueryParam(CLIENT_ASSERTION_TYPE, JWT_BEARER_ASSERTION_TYPE)
-        .addQueryParam(CLIENT_ASSERTION, WorkflowUtils.buildStringFilter(application, assertion));
+        .addClientAuthParam(CLIENT_ASSERTION_TYPE, JWT_BEARER_ASSERTION_TYPE)
+        .addClientAuthParam(
+            CLIENT_ASSERTION, WorkflowUtils.buildStringFilter(application, assertion));
   }
 
   @SuppressWarnings("unchecked")

impl/core/src/main/java/io/serverlessworkflow/impl/auth/OAuthRequestBuilder.java

@@ -25,13 +25,14 @@
 import io.serverlessworkflow.impl.WorkflowValueResolver;
 import java.net.URI;
 import java.util.Map;
+import java.util.Optional;
 
 class OAuthRequestBuilder
     extends AbstractAuthRequestBuilder<OAuth2ConnectAuthenticationProperties> {
 
-  private static String DEFAULT_TOKEN_PATH = "oauth2/token";
-  private static String DEFAULT_REVOCATION_PATH = "oauth2/revoke";
-  private static String DEFAULT_INTROSPECTION_PATH = "oauth2/introspect";
+  private static final String DEFAULT_TOKEN_PATH = "oauth2/token";
+  private static final String DEFAULT_REVOCATION_PATH = "oauth2/revoke";
+  private static final String DEFAULT_INTROSPECTION_PATH = "oauth2/introspect";
 
   public OAuthRequestBuilder(WorkflowApplication application) {
     super(application);
@@ -47,9 +48,11 @@ protected void authenticationURI(OAuth2ConnectAuthenticationProperties authentic
     String introspection = endpoints != null ? endpoints.getIntrospection() : null;
     requestBuilder
         .withUri(endpointResolver(uri, endpointPath(token, DEFAULT_TOKEN_PATH)))
-        .withRevocationUri(endpointResolver(uri, endpointPath(revocation, DEFAULT_REVOCATION_PATH)))
+        .withRevocationUri(
+            Optional.of(endpointResolver(uri, endpointPath(revocation, DEFAULT_REVOCATION_PATH))))
         .withIntrospectionUri(
-            endpointResolver(uri, endpointPath(introspection, DEFAULT_INTROSPECTION_PATH)));
+            Optional.of(
+                endpointResolver(uri, endpointPath(introspection, DEFAULT_INTROSPECTION_PATH))));
   }
 
   @Override
@@ -59,9 +62,11 @@ protected void authenticationURI(Map<String, Object> secret) {
         secret.get("endpoints") instanceof Map<?, ?> raw ? (Map<?, ?>) raw : Map.of();
     requestBuilder
         .withUri(staticUri(authority, endpoints, "token", DEFAULT_TOKEN_PATH))
-        .withRevocationUri(staticUri(authority, endpoints, "revocation", DEFAULT_REVOCATION_PATH))
+        .withRevocationUri(
+            Optional.of(staticUri(authority, endpoints, "revocation", DEFAULT_REVOCATION_PATH)))
         .withIntrospectionUri(
-            staticUri(authority, endpoints, "introspection", DEFAULT_INTROSPECTION_PATH));
+            Optional.of(
+                staticUri(authority, endpoints, "introspection", DEFAULT_INTROSPECTION_PATH)));
   }
 
   private static String endpointPath(String path, String defaultPath) {

impl/core/src/main/java/io/serverlessworkflow/impl/auth/TokenIntrospection.java

@@ -0,0 +1,27 @@
+/*
+ * Copyright 2020-Present The Serverless Workflow Specification Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.serverlessworkflow.impl.auth;
+
+import java.util.Map;
+
+/**
+ * The result of an OAuth2 token introspection request as defined by <a
+ * href="https://www.rfc-editor.org/rfc/rfc7662">RFC 7662</a>.
+ *
+ * <p>{@code active} is the only field guaranteed by the specification; the full response is exposed
+ * through {@code claims} so callers can inspect additional metadata (scope, exp, sub, ...).
+ */
+public record TokenIntrospection(boolean active, Map<String, Object> claims) {}

impl/http/pom.xml

@@ -12,5 +12,35 @@
             <groupId>io.serverlessworkflow</groupId>
             <artifactId>serverlessworkflow-impl-template-resolver</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-api</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-engine</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>mockwebserver</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.glassfish.jersey.core</groupId>
+            <artifactId>jersey-client</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.glassfish.jersey.media</groupId>
+            <artifactId>jersey-media-json-jackson</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 </project>