From 3d66db23861bd9051d608e899ada9e537a17debf Mon Sep 17 00:00:00 2001 From: HaimKortovich Date: Wed, 13 May 2026 16:22:46 -0500 Subject: [PATCH] configure introspection correctly --- lib/policy_service_web/plugs/authorize_roles.ex | 4 ++-- lib/policy_service_web/router.ex | 11 ++++++----- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/lib/policy_service_web/plugs/authorize_roles.ex b/lib/policy_service_web/plugs/authorize_roles.ex index ac1f3cb..2b7621b 100644 --- a/lib/policy_service_web/plugs/authorize_roles.ex +++ b/lib/policy_service_web/plugs/authorize_roles.ex @@ -67,8 +67,8 @@ defmodule PolicyServiceWeb.Plugs.AuthorizeRoles do defp get_roles_map(conn, roles_claim) do case conn.private[Oidcc.Plug.IntrospectToken] do - %{claims: %{^roles_claim => %{} = roles_map}} -> - role = Map.get(roles_map, roles_claim, %{}) + %{extra: %{^roles_claim => %{} = roles_map}} -> + Map.get(roles_map, roles_claim, %{}) role _ -> diff --git a/lib/policy_service_web/router.ex b/lib/policy_service_web/router.ex index 44cacdb..bc8ae91 100644 --- a/lib/policy_service_web/router.ex +++ b/lib/policy_service_web/router.ex @@ -15,7 +15,7 @@ defmodule PolicyServiceWeb.Router do plug PolicyServiceWeb.Plugs.RequireOrganizationId plug PolicyServiceWeb.Plugs.ExtractOrganizationId - plug :validate + plug :introspect plug :authorize_roles end @@ -46,17 +46,18 @@ defmodule PolicyServiceWeb.Router do get "/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi" end - def validate(conn, _opts) do + def introspect(conn, _opts) do zitadel = Application.get_env(:policy_service, :zitadel) opts = - Oidcc.Plug.ValidateJwtToken.init( + Oidcc.Plug.IntrospectToken.init( provider: PolicyService.ZitadelProvider, client_id: zitadel[:client_id], - client_secret: zitadel[:client_secret] + client_secret: zitadel[:client_secret], + token_introspection_opts: %{client_self_only: false} ) - Oidcc.Plug.ValidateJwtToken.call( + Oidcc.Plug.IntrospectToken.call( conn, opts )