Merge pull request #523 from boscard/master

zandbelt · web-flow · commit 9e3784894b7d · 2025-03-27T11:24:24.000+01:00
Enable caching of negative introspection responses
diff --git a/README.md b/README.md
@@ -384,6 +384,19 @@ from the cache. In order to avoid cache confusion it is recommended to
 set `opts.cache_segment` to unique strings for each set of related
 locations.
 
+## Caching of negative Introspection responses
+
+By default `introspection` cache will not store negative responses.
+This means that bad actor can potentialy try to exhaust introspection 
+endpoint by flooding service with a lot of calls with inproper token.
+To prevent this situation `opts.introspection_enable_negative_cache`
+can be set to `true`. This will enable `introspection` cache to store
+negative responses for time defined in `exp` field.
+Caching negative introspection responses will offload traffic from
+introspection endpoint but also will expose NGINX for resource exhaustion
+attacks as storing negative introspection responses will use extra
+cache storage.
+
 ## Revoke tokens
 
 The `revoke_tokens(opts, session)` function revokes the current refresh and access token. In contrast to a full logout, the session cookie will not be destroyed and the endsession endpoint will not be called. The function returns `true` if both tokens were revoked successfully. This function might be helpful in scenarios where you want to destroy/remove a session from the server side.
diff --git a/lib/resty/openidc.lua b/lib/resty/openidc.lua
@@ -1780,6 +1780,11 @@ function openidc.introspect(opts)
 
   if v then
     json = cjson.decode(v)
+
+    if not json or not json.active then
+        err = "invalid cached token"
+    end
+
     return json, err
   end
 
@@ -1810,12 +1815,13 @@ function openidc.introspect(opts)
   end
   json, err = openidc.call_token_endpoint(opts, introspection_endpoint, body, opts.introspection_endpoint_auth_method, "introspection")
 
-
   if not json then
     return json, err
   end
 
-  if not json.active then
+  -- check if negative cache should be in use
+  local introspection_enable_negative_cache = opts.introspection_enable_negative_cache or false
+  if not json.active and not introspection_enable_negative_cache then
     err = "invalid token"
     return json, err
   end
@@ -1824,6 +1830,7 @@ function openidc.introspect(opts)
   local introspection_cache_ignore = opts.introspection_cache_ignore or false
   local expiry_claim = opts.introspection_expiry_claim or "exp"
 
+
   if not introspection_cache_ignore and json[expiry_claim] then
     local introspection_interval = opts.introspection_interval or 0
     local ttl = json[expiry_claim]
@@ -1839,6 +1846,10 @@ function openidc.introspect(opts)
     set_cached_introspection(opts, access_token, cjson.encode(json), ttl)
   end
 
+  if not json.active then
+    err = "invalid token"
+  end
+
   return json, err
 
 end
