Enable caching of negative introspection responses

zmartzone · Aug 21, 2024 · 773f763 · 773f763
1 parent 9f3a4fc
commit 773f763
Showing 1 changed file with 10 additions and 6 deletions.
diff --git a/lib/resty/openidc.lua b/lib/resty/openidc.lua
@@ -1720,6 +1720,11 @@ function openidc.introspect(opts)
 
   if v then
     json = cjson.decode(v)
+
+    if not json or not json.active then
+        err = "invalid cached token"
+    end
+
     return json, err
   end
 
@@ -1750,20 +1755,15 @@ function openidc.introspect(opts)
   end
   json, err = openidc.call_token_endpoint(opts, introspection_endpoint, body, opts.introspection_endpoint_auth_method, "introspection")
 
-
   if not json then
     return json, err
   end
 
-  if not json.active then
-    err = "invalid token"
-    return json, err
-  end
-
   -- cache the results
   local introspection_cache_ignore = opts.introspection_cache_ignore or false
   local expiry_claim = opts.introspection_expiry_claim or "exp"
 
+
   if not introspection_cache_ignore and json[expiry_claim] then
     local introspection_interval = opts.introspection_interval or 0
     local ttl = json[expiry_claim]
@@ -1779,6 +1779,10 @@ function openidc.introspect(opts)
     set_cached_introspection(opts, access_token, cjson.encode(json), ttl)
   end
 
+  if not json.active then
+    err = "invalid token"
+  end
+
   return json, err
 
 end