warden: do not use refresh tokens as proof of authorization

[therebelrobot]

Issue: When you validate an access token using the warden/token/allowed endpoint, it returns {allowed: false} if the scopes don't match what is registered in the token. If you pass in a refresh token instead, it returns allowed: true with the entire response, regardless of scopes passed to it.

Expected result: it should either blacklist refresh tokens altogether, or at least validate the scopes passed in.

Hydra version: v0.8.7
Docker Image: oryd/hydra:v0.8.7-http

cc @yields (he's the one who ran into it while consuming the endpoint here at Segment)

[therebelrobot]

For context, we're using the warden/token/allowed endpoint to validate external tokens coming into our infrastructure, until #539 is resolved.

[aeneasr]

The issue is that the warden uses the introspection functionality from fosite, which in turn doesn't really care if it's a refresh or an access token. Actually, the introspection endpoint isn't caring about scopes either, which is a bit weird because fosite does, but only for access tokens, not refresh.

To resolve, I think the following must be done:

1. Check scopes of refresh tokens in fosite
2. Return token type in introspect response (fosite)
3. Only pass warden if token type is access token, not refresh token

[aeneasr]

With the new patch you are no longer able to use refresh tokens in the warden endpoint, and the introspect endpoint properly checks refresh tokens for scopes as well. Thanks for the report!