auth: db-oauth2 - Clarify how introspect gets called

This should make it more obvious when introspection
actually gets called after lookup.

Introspection failure is now also moved earlier, before
the request would fail later because not all fields
are available.

diff --git a/src/auth/db-oauth2.c b/src/auth/db-oauth2.c
index 91ed1343e9359016b6555879e8c52dcc3f5dc16c..d484c0a5ddc024d8f36a8ae7882575bb81281666 100644 (file)
--- a/src/auth/db-oauth2.c
+++ b/src/auth/db-oauth2.c
@@ -667,11 +667,14 @@ db_oauth2_lookup_continue(struct oauth2_request_result *result,
                error = "Invalid token";
        } else {
                db_oauth2_fields_merge(req, result->fields);
-               if (*req->db->set.introspection_url != '\0' &&
-                   (req->db->set.force_introspection ||
-                    !db_oauth2_have_all_fields(req))) {
-                       e_debug(authdb_event(req->auth_request),
-                               "oauth2: Introspection needed after token validation");
+               if (req->token == NULL) {
+                       db_oauth2_callback(req, PASSDB_RESULT_INTERNAL_FAILURE,
+                                          "OAuth2 token missing from reply");
+                       return;
+               } else if (db_oauth2_have_all_fields(req) &&
+                          !req->db->set.force_introspection) {
+                       /* pass */
+               } else if (*req->db->set.introspection_url != '\0') {
                        db_oauth2_lookup_introspect(req);
                        return;
                }