From 174d867bf4e132e5e1629d2fd06f3395901f52b0 Mon Sep 17 00:00:00 2001
From: YuriyZ <yzabrovarniy@gmail.com>
Date: Mon, 16 Oct 2023 11:47:24 +0300
Subject: [PATCH] feat(oxauth): added configuration property to AS which will
 allow to bypass basic client authentication restriction to query only own
 tokens (4.6.0)

https://github.com/GluuFederation/oxAuth/issues/1865
---
 .../oxauth/model/configuration/AppConfiguration.java   | 10 ++++++++++
 .../introspection/ws/rs/IntrospectionWebService.java   |  6 ++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/Model/src/main/java/org/gluu/oxauth/model/configuration/AppConfiguration.java b/Model/src/main/java/org/gluu/oxauth/model/configuration/AppConfiguration.java
index 3ca281a9f2..8e22fc5ba9 100644
--- a/Model/src/main/java/org/gluu/oxauth/model/configuration/AppConfiguration.java
+++ b/Model/src/main/java/org/gluu/oxauth/model/configuration/AppConfiguration.java
@@ -196,6 +196,7 @@ public class AppConfiguration implements Configuration {
 
     private Boolean introspectionAccessTokenMustHaveUmaProtectionScope = false;
     private Boolean introspectionSkipAuthorization;
+    private Boolean introspectionRestrictBasicAuthnToOwnTokens = false;
 
     private Boolean endSessionWithAccessToken;
     private String cookieDomain;
@@ -587,6 +588,15 @@ public void setIntrospectionSkipAuthorization(Boolean introspectionSkipAuthoriza
         this.introspectionSkipAuthorization = introspectionSkipAuthorization;
     }
 
+    public Boolean getIntrospectionRestrictBasicAuthnToOwnTokens() {
+        if (introspectionRestrictBasicAuthnToOwnTokens == null) introspectionRestrictBasicAuthnToOwnTokens = false;
+        return introspectionRestrictBasicAuthnToOwnTokens;
+    }
+
+    public void setIntrospectionRestrictBasicAuthnToOwnTokens(Boolean introspectionRestrictBasicAuthnToOwnTokens) {
+        this.introspectionRestrictBasicAuthnToOwnTokens = introspectionRestrictBasicAuthnToOwnTokens;
+    }
+
     public Boolean getUmaRptAsJwt() {
         return umaRptAsJwt;
     }
diff --git a/Server/src/main/java/org/gluu/oxauth/introspection/ws/rs/IntrospectionWebService.java b/Server/src/main/java/org/gluu/oxauth/introspection/ws/rs/IntrospectionWebService.java
index 7bbfce8388..56a902d6eb 100644
--- a/Server/src/main/java/org/gluu/oxauth/introspection/ws/rs/IntrospectionWebService.java
+++ b/Server/src/main/java/org/gluu/oxauth/introspection/ws/rs/IntrospectionWebService.java
@@ -55,6 +55,8 @@
 import java.nio.charset.StandardCharsets;
 import java.util.Iterator;
 
+import static org.apache.commons.lang3.BooleanUtils.isTrue;
+
 /**
  * @author Yuriy Zabrovarnyy
  * @version June 30, 2018
@@ -278,13 +280,13 @@ private Pair<AuthorizationGrant, Boolean> getAuthorizationGrant(String authoriza
                 String password = URLDecoder.decode(token.substring(delim + 1), Util.UTF8_STRING_ENCODING);
                 if (clientService.authenticate(clientId, password)) {
                     grant = authorizationGrantList.getAuthorizationGrantByAccessToken(accessToken);
-                    if (grant != null && !grant.getClientId().equals(clientId)) {
+                    if (isTrue(appConfiguration.getIntrospectionRestrictBasicAuthnToOwnTokens()) && grant != null && !grant.getClientId().equals(clientId)) {
                         log.trace("Failed to match grant object clientId and client id provided during authentication.");
                         return EMPTY;
                     }
                     return new Pair<>(grant, true);
                 } else {
-                    log.trace("Failed to perform basic authentication for client: " + clientId);
+                    log.trace("Failed to perform basic authentication for client: {}", clientId);
                 }
             }
         }