Remove introspection and revoke

mcruzdev · mcruzdev · commit d758ecfb0b7f · 2026-06-12T17:57:20.000-03:00
Signed-off-by: Matheus Cruz &lt;matheuscruz.dev@gmail.com&gt;
diff --git a/impl/core/src/main/java/io/serverlessworkflow/impl/auth/AccessTokenProvider.java b/impl/core/src/main/java/io/serverlessworkflow/impl/auth/AccessTokenProvider.java
@@ -21,45 +21,4 @@
 
 public interface AccessTokenProvider {
   JWT validateAndGet(WorkflowContext workflow, TaskContext context, WorkflowModel model);
-
-  /**
-   * Introspects the given token against the configured introspection endpoint, as defined by <a
-   * href="https://www.rfc-editor.org/rfc/rfc7662">RFC 7662</a>.
-   *
-   * <p>This is an optional capability. The default implementation throws {@link
-   * UnsupportedOperationException}; providers backed by an introspection-capable OIDC client should
-   * override it.
-   *
-   * @param tokenTypeHint optional {@code token_type_hint} (e.g. {@code access_token}), may be
-   *     {@code null}
-   */
-  default TokenIntrospection introspect(
-      WorkflowContext workflow,
-      TaskContext context,
-      WorkflowModel model,
-      String token,
-      String tokenTypeHint) {
-    throw new UnsupportedOperationException(
-        "Token introspection is not supported by this provider");
-  }
-
-  /**
-   * Revokes the given token against the configured revocation endpoint, as defined by <a
-   * href="https://www.rfc-editor.org/rfc/rfc7009">RFC 7009</a>.
-   *
-   * <p>This is an optional capability. The default implementation throws {@link
-   * UnsupportedOperationException}; providers backed by a revocation-capable OIDC client should
-   * override it.
-   *
-   * @param tokenTypeHint optional {@code token_type_hint} (e.g. {@code access_token}, {@code
-   *     refresh_token}), may be {@code null}
-   */
-  default void revoke(
-      WorkflowContext workflow,
-      TaskContext context,
-      WorkflowModel model,
-      String token,
-      String tokenTypeHint) {
-    throw new UnsupportedOperationException("Token revocation is not supported by this provider");
-  }
 }
diff --git a/impl/http/src/main/java/io/serverlessworkflow/impl/executors/http/auth/JaxRSAccessTokenProvider.java b/impl/http/src/main/java/io/serverlessworkflow/impl/executors/http/auth/JaxRSAccessTokenProvider.java
@@ -27,7 +27,6 @@
 import io.serverlessworkflow.impl.auth.HttpRequestInfo;
 import io.serverlessworkflow.impl.auth.JWT;
 import io.serverlessworkflow.impl.auth.JWTConverter;
-import io.serverlessworkflow.impl.auth.TokenIntrospection;
 import io.serverlessworkflow.impl.executors.http.HttpClientResolver;
 import jakarta.ws.rs.ProcessingException;
 import jakarta.ws.rs.client.Client;
@@ -74,46 +73,6 @@ public JWT validateAndGet(WorkflowContext workflow, TaskContext context, Workflo
     return jwt;
   }
 
-  @Override
-  public TokenIntrospection introspect(
-      WorkflowContext workflow,
-      TaskContext context,
-      WorkflowModel model,
-      String token,
-      String tokenTypeHint) {
-    URI uri = endpoint(requestInfo.introspectionUri(), "introspection", workflow, context, model);
-    return execute(
-        context,
-        () -> {
-          try (Response response =
-              postManagementRequest(workflow, context, model, uri, token, tokenTypeHint)) {
-            ensureSuccessful(response, context, "introspect token");
-            Map<String, Object> body = response.readEntity(new GenericType<>() {});
-            return new TokenIntrospection(Boolean.TRUE.equals(body.get("active")), body);
-          }
-        });
-  }
-
-  @Override
-  public void revoke(
-      WorkflowContext workflow,
-      TaskContext context,
-      WorkflowModel model,
-      String token,
-      String tokenTypeHint) {
-    URI uri = endpoint(requestInfo.revocationUri(), "revocation", workflow, context, model);
-    execute(
-        context,
-        () -> {
-          // RFC 7009: a successful revocation responds with HTTP 200 and an empty body.
-          try (Response response =
-              postManagementRequest(workflow, context, model, uri, token, tokenTypeHint)) {
-            ensureSuccessful(response, context, "revoke token");
-            return null;
-          }
-        });
-  }
-
   private Map<String, Object> invoke(
       WorkflowContext workflowContext, TaskContext taskContext, WorkflowModel model) {
     return execute(
diff --git a/impl/http/src/test/java/io/serverlessworkflow/impl/executors/http/auth/JaxRSAccessTokenProviderTest.java b/impl/http/src/test/java/io/serverlessworkflow/impl/executors/http/auth/JaxRSAccessTokenProviderTest.java
@@ -15,32 +15,23 @@
  */
 package io.serverlessworkflow.impl.executors.http.auth;
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.RETURNS_DEEP_STUBS;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
 import io.serverlessworkflow.impl.TaskContext;
 import io.serverlessworkflow.impl.WorkflowContext;
-import io.serverlessworkflow.impl.WorkflowException;
 import io.serverlessworkflow.impl.WorkflowValueResolver;
 import io.serverlessworkflow.impl.auth.AccessTokenProvider;
 import io.serverlessworkflow.impl.auth.HttpRequestInfo;
 import io.serverlessworkflow.impl.auth.JWTConverter;
-import io.serverlessworkflow.impl.auth.TokenIntrospection;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
-import okhttp3.mockwebserver.MockResponse;
 import okhttp3.mockwebserver.MockWebServer;
-import okhttp3.mockwebserver.RecordedRequest;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
 
 class JaxRSAccessTokenProviderTest {
 
@@ -63,68 +54,6 @@ void tearDown() throws Exception {
     server.shutdown();
   }
 
-  @Test
-  void introspectSendsClientAuthAndTokenAndParsesActive() throws Exception {
-    server.enqueue(
-        new MockResponse()
-            .setHeader("Content-Type", "application/json")
-            .setBody("{\"active\": true, \"scope\": \"read\"}"));
-
-    TokenIntrospection result =
-        provider().introspect(workflow, task, null, "the-access-token", "access_token");
-
-    assertTrue(result.active());
-    assertEquals("read", result.claims().get("scope"));
-
-    RecordedRequest request = server.takeRequest();
-    assertEquals("POST", request.getMethod());
-    assertEquals("/oauth2/introspect", request.getPath());
-    assertEquals("application/x-www-form-urlencoded", request.getHeader("Content-Type"));
-    String body = request.getBody().readUtf8();
-    assertTrue(body.contains("token=the-access-token"));
-    assertTrue(body.contains("token_type_hint=access_token"));
-    assertTrue(body.contains("client_id=serverless-workflow"));
-    assertTrue(body.contains("client_secret=top-secret"));
-  }
-
-  @Test
-  void introspectReturnsInactiveForInactiveToken() throws Exception {
-    server.enqueue(
-        new MockResponse()
-            .setHeader("Content-Type", "application/json")
-            .setBody("{\"active\": false}"));
-
-    TokenIntrospection result = provider().introspect(workflow, task, null, "stale-token", null);
-
-    assertFalse(result.active());
-    RecordedRequest request = server.takeRequest();
-    assertFalse(request.getBody().readUtf8().contains("token_type_hint"));
-  }
-
-  @Test
-  void revokeSendsClientAuthAndToken() throws Exception {
-    server.enqueue(new MockResponse().setResponseCode(200));
-
-    provider().revoke(workflow, task, null, "the-access-token", "access_token");
-
-    RecordedRequest request = server.takeRequest();
-    assertEquals("POST", request.getMethod());
-    assertEquals("/oauth2/revoke", request.getPath());
-    assertEquals("application/x-www-form-urlencoded", request.getHeader("Content-Type"));
-    String body = request.getBody().readUtf8();
-    assertTrue(body.contains("token=the-access-token"));
-    assertTrue(body.contains("token_type_hint=access_token"));
-    assertTrue(body.contains("client_id=serverless-workflow"));
-  }
-
-  @Test
-  void revokeRaisesWorkflowExceptionOnErrorResponse() {
-    server.enqueue(new MockResponse().setResponseCode(400).setBody("unsupported_token_type"));
-
-    assertThrows(
-        WorkflowException.class, () -> provider().revoke(workflow, task, null, "bad-token", null));
-  }
-
   private AccessTokenProvider provider() {
     JWTConverter converter = token -> null;
     HttpRequestInfo requestInfo =
