From 090e212c95c8e3d6006955c45bc47f61cab80248 Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hans.zandbelt@openidc.com>
Date: Wed, 1 Mar 2023 13:33:45 +0100
Subject: [PATCH] add support for introspect.params

- see https://github.com/zmartzone/mod_oauth2/discussions/44
- bump to 1.4.5.5rc1

Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>
---
 ChangeLog           |  6 +++++-
 configure.ac        |  2 +-
 src/oauth2.c        | 12 +++++++++++-
 test/check_oauth2.c | 12 +++++++++---
 4 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 5ca92d1..d2aeadb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,8 @@
-01/22/2024
+03/01/2023
+- add support for introspect.params; see https://github.com/zmartzone/mod_oauth2/discussions/44
+- bump to 1.4.5.5rc1
+
+01/22/2023
 - hack for el7/x86 where openssl 1.0.2 and openssl 1.1.1 are installed for respectively Apache and NGINX 1.20.1
 - bump to 1.4.5.5rc0
 
diff --git a/configure.ac b/configure.ac
index a4646ba..807896e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([liboauth2],[1.4.5.5rc0],[hans.zandbelt@openidc.com])
+AC_INIT([liboauth2],[1.4.5.5rc1],[hans.zandbelt@openidc.com])
 
 AM_INIT_AUTOMAKE([foreign no-define subdir-objects])
 AC_CONFIG_MACRO_DIR([m4])
diff --git a/src/oauth2.c b/src/oauth2.c
index 0a2c37d..a1a559c 100644
--- a/src/oauth2.c
+++ b/src/oauth2.c
@@ -274,19 +274,24 @@ bool oauth2_http_ctx_auth_add(oauth2_log_t *log, oauth2_http_call_ctx_t *ctx,
 
 _OAUTH2_CFG_CTX_TYPE_START(oauth2_introspect_ctx)
 oauth2_cfg_endpoint_t *endpoint;
+oauth2_nv_list_t *params;
 _OAUTH2_CFG_CTX_TYPE_END(oauth2_introspect_ctx)
 
 _OAUTH2_CFG_CTX_INIT_START(oauth2_introspect_ctx)
 ctx->endpoint = NULL;
+ctx->params = NULL;
 _OAUTH2_CFG_CTX_INIT_END
 
 _OAUTH2_CFG_CTX_CLONE_START(oauth2_introspect_ctx)
 dst->endpoint = oauth2_cfg_endpoint_clone(log, src->endpoint);
+dst->params = oauth2_nv_list_clone(log, src->params);
 _OAUTH2_CFG_CTX_CLONE_END
 
 _OAUTH2_CFG_CTX_FREE_START(oauth2_introspect_ctx)
 if (ctx->endpoint)
 	oauth2_cfg_endpoint_free(log, ctx->endpoint);
+if (ctx->params)
+	oauth2_nv_list_free(log, ctx->params);
 _OAUTH2_CFG_CTX_FREE_END
 
 _OAUTH2_CFG_CTX_FUNCS(oauth2_introspect_ctx)
@@ -331,7 +336,7 @@ static bool _oauth2_introspect_verify(oauth2_log_t *log,
 	oauth2_nv_list_add(log, params, OAUTH2_INTROSPECT_TOKEN_TYPE_HINT,
 			   OAUTH2_INTROSPECT_TOKEN_TYPE_HINT_ACCESS_TOKEN);
 
-	// TODO: add configurable extra POST params
+	oauth2_nv_list_merge_into(log, ctx->params, params);
 
 	if (oauth2_http_ctx_auth_add(
 		log, http_ctx, oauth2_cfg_endpoint_get_auth(ctx->endpoint),
@@ -429,6 +434,11 @@ static char *_oauth2_verify_options_set_introspect_url_ctx(
 	rv = oauth2_cfg_set_endpoint(log, ctx->endpoint, url, params,
 				     "introspect");
 
+	if (oauth2_parse_form_encoded_params(
+		log, oauth2_nv_list_get(log, params, "introspect.params"),
+		&ctx->params) == false)
+		rv = oauth2_strdup("oauth2_parse_form_encoded_params failed");
+
 	oauth2_debug(log, "leave: %s", rv);
 
 	return rv;
diff --git a/test/check_oauth2.c b/test/check_oauth2.c
index 77326a7..80df716 100644
--- a/test/check_oauth2.c
+++ b/test/check_oauth2.c
@@ -556,6 +556,9 @@ static char *oauth2_check_oauth2_serve_post(const char *request)
 		if (oauth2_parse_form_encoded_params(_log, data, &params) ==
 		    false)
 			goto error;
+		token = oauth2_nv_list_get(_log, params, "key2");
+		if ((token == NULL) || (strcmp(token, "two") != 0))
+			goto error;
 		token = oauth2_nv_list_get(_log, params, "token");
 		if (token == NULL)
 			goto error;
@@ -788,7 +791,9 @@ START_TEST(test_oauth2_verify_token_introspection)
 			    post_introspection_path, NULL);
 
 	rv = oauth2_cfg_token_verify_add_options(
-	    _log, &verify, "introspect", url, "introspect.ssl_verify=false");
+	    _log, &verify, "introspect", url,
+	    "introspect.ssl_verify=false&introspect.params=key1%3Done%26key2%"
+	    "3Dtwo");
 	ck_assert_ptr_eq(rv, NULL);
 
 	rc = oauth2_token_verify(_log, NULL, verify, "bogus", &json_payload);
@@ -1002,8 +1007,9 @@ START_TEST(test_oauth2_verify_token_metadata)
 	url = oauth2_stradd(NULL, oauth2_check_http_base_url(), metadata_path,
 			    NULL);
 
-	rv = oauth2_cfg_token_verify_add_options(_log, &verify, "metadata", url,
-						 "&verify.exp=skip");
+	rv = oauth2_cfg_token_verify_add_options(
+	    _log, &verify, "metadata", url,
+	    "&verify.exp=skip&&introspect.params=key2%3Dtwo");
 	ck_assert_ptr_eq(rv, NULL);
 
 	// reference token