Fix missing "active" check in JWT introspection response #52
Description
packages-js/api/src/handlers/command.ts
Line 90 in 2f44469
Currently, the system does not verify the "active": true field in the JWT introspection response, which can lead to the acceptance of expired, revoked, or invalid tokens. According to the OAuth 2.0 Token Introspection standard (RFC 7662), the introspection response must include an "active" field that indicates whether the token is currently valid.
This issue needs to be addressed to ensure that tokens are correctly validated before being accepted, preventing security risks such as unauthorized access or misuse of expired/revoked tokens.
https://datatracker.ietf.org/doc/html/rfc7662#section-2.2
RFC 7662: Token Introspection Standard:
According to RFC 7662 (OAuth 2.0 Token Introspection), the introspection endpoint is used to determine the status of an OAuth 2.0 token. The response from the introspection endpoint must include the "active" field, which indicates whether the token is still valid.
The relevant portion of the RFC states:
active
REQUIRED. Boolean indicator of whether or not the presented token
is currently active. The specifics of a token's "active" state
will vary depending on the implementation of the authorization
server and the information it keeps about its tokens, but a "true"
value return for the "active" property will generally indicate
that a given token has been issued by this authorization server,
has not been revoked by the resource owner, and is within its
given time window of validity (e.g., after its issuance time and
before its expiration time). See Section 4 for information on
implementation of such checks.