use introspect url from discovery (#51)

<!--- Provide a general summary of your changes in the Title above -->

## Description

<!--- Describe your changes in detail -->

## Motivation and Context

<!--- Why is this change required? What problem does it solve? -->
<!--- If it fixes an open issue, please link to the issue here. -->

## How Has This Been Tested?

<!--- Please describe in detail how you tested your changes. -->
<!--- Include details of your testing environment, and the tests you ran
to -->
<!--- see how your change affects other areas of the code, etc. -->

## Checklist:

<!--- Go over all the following points, and put an `x` in all the boxes
that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're
here to help! -->

- [ ] My change requires a change to the documentation or CHANGELOG.
- [ ] I have updated the documentation/CHANGELOG accordingly.
- [ ] I have created a feature (non-master) branch for my PR.

pkg/providers/oidc/provider.go

@@ -18,15 +18,17 @@ type providerJSON struct {
 	UserInfoURL          string   `json:"userinfo_endpoint"`
 	CodeChallengeAlgs    []string `json:"code_challenge_methods_supported"`
 	SupportedSigningAlgs []string `json:"id_token_signing_alg_values_supported"`
+	IntrospectEndpoint   string   `json:"introspection_endpoint"`
 }
 
 // Endpoints represents the endpoints discovered as part of the OIDC discovery process
 // that will be used by the authentication providers.
 type Endpoints struct {
-	AuthURL     string
-	TokenURL    string
-	JWKsURL     string
-	UserInfoURL string
+	AuthURL            string
+	TokenURL           string
+	JWKsURL            string
+	UserInfoURL        string
+	IntrospectEndpoint string
 }
 
 // PKCE holds information relevant to the PKCE (code challenge) support of the
@@ -71,6 +73,7 @@ func NewProvider(ctx context.Context, issuerURL string, skipIssuerVerification b
 		userInfoURL:          p.UserInfoURL,
 		codeChallengeAlgs:    p.CodeChallengeAlgs,
 		supportedSigningAlgs: p.SupportedSigningAlgs,
+		introspectEndpoint:   p.IntrospectEndpoint,
 	}, nil
 }
 
@@ -80,17 +83,19 @@ type discoveryProvider struct {
 	tokenURL             string
 	jwksURL              string
 	userInfoURL          string
+	introspectEndpoint   string
 	codeChallengeAlgs    []string
 	supportedSigningAlgs []string
 }
 
 // Endpoints returns the discovered endpoints needed for an authentication provider.
 func (p *discoveryProvider) Endpoints() Endpoints {
 	return Endpoints{
-		AuthURL:     p.authURL,
-		TokenURL:    p.tokenURL,
-		JWKsURL:     p.jwksURL,
-		UserInfoURL: p.userInfoURL,
+		AuthURL:            p.authURL,
+		TokenURL:           p.tokenURL,
+		JWKsURL:            p.jwksURL,
+		UserInfoURL:        p.userInfoURL,
+		IntrospectEndpoint: p.introspectEndpoint,
 	}
 }
 

providers/oidc.go

@@ -126,14 +126,15 @@ func (p *OIDCProvider) enrichFromIntrospectURL(ctx context.Context, s *sessions.
 	params := url.Values{}
 	params.Add("token", s.AccessToken)
 	basicAuth := b64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", p.ClientID, clientSecret)))
-	logger.Printf("Requesting introspect")
 	if p.IntrospectURL == nil {
 		p.IntrospectURL = &url.URL{
 			Scheme: p.RedeemURL.Scheme,
 			Host:   p.RedeemURL.Host,
-			Path:   "/authorize/oauth2/introspect",
+			Path:   "/authorize/oauth2/v4/introspect",
 		}
 	}
+	logger.Printf("Requesting introspect from '%s'", p.IntrospectURL)
+
 	result := requests.New(p.IntrospectURL.String()).
 		WithContext(ctx).
 		WithMethod("POST").

providers/provider_data.go

@@ -194,6 +194,7 @@ func (p *ProviderData) setProviderDefaults(defaults providerDefaults) {
 	p.RedeemURL = defaultURL(p.RedeemURL, defaults.redeemURL)
 	p.ProfileURL = defaultURL(p.ProfileURL, defaults.profileURL)
 	p.ValidateURL = defaultURL(p.ValidateURL, defaults.validateURL)
+	p.IntrospectURL = defaultURL(p.IntrospectURL, nil)
 
 	if p.Scope == "" {
 		p.Scope = defaults.scope

providers/providers.go

@@ -106,6 +106,7 @@ func newProviderDataFromConfig(providerConfig options.Provider) (*ProviderData,
 			providerConfig.RedeemURL = endpoints.TokenURL
 			providerConfig.ProfileURL = endpoints.UserInfoURL
 			providerConfig.OIDCConfig.JwksURL = endpoints.JWKsURL
+			providerConfig.IntrospectURL = endpoints.IntrospectEndpoint
 			p.SupportedCodeChallengeMethods = pkce.CodeChallengeAlgs
 		}
 	}
@@ -115,11 +116,12 @@ func newProviderDataFromConfig(providerConfig options.Provider) (*ProviderData,
 		dst **url.URL
 		raw string
 	}{
-		"login":    {dst: &p.LoginURL, raw: providerConfig.LoginURL},
-		"redeem":   {dst: &p.RedeemURL, raw: providerConfig.RedeemURL},
-		"profile":  {dst: &p.ProfileURL, raw: providerConfig.ProfileURL},
-		"validate": {dst: &p.ValidateURL, raw: providerConfig.ValidateURL},
-		"resource": {dst: &p.ProtectedResource, raw: providerConfig.ProtectedResource},
+		"login":      {dst: &p.LoginURL, raw: providerConfig.LoginURL},
+		"redeem":     {dst: &p.RedeemURL, raw: providerConfig.RedeemURL},
+		"profile":    {dst: &p.ProfileURL, raw: providerConfig.ProfileURL},
+		"validate":   {dst: &p.ValidateURL, raw: providerConfig.ValidateURL},
+		"resource":   {dst: &p.ProtectedResource, raw: providerConfig.ProtectedResource},
+		"introspect": {dst: &p.IntrospectURL, raw: providerConfig.IntrospectURL},
 	} {
 		var err error
 		*u.dst, err = url.Parse(u.raw)