Better errors during Token Introspection in RS

[mkurapov]

Context

Currently, when an Open Payments client tries to access a resource at the RS (resource server), for example getting an outgoing payment, the client does not know whether the token they've presented is simply inactive and needs to be rotated, or whether the token presented does not have the correct permissions to access the resource (insufficient grant/access).

This is because when the RS presenting the token to the AS, even if the token is active (not expired) the AS will end up returning an inactive token if the grant's access does not include the request's access:

rafiki/packages/auth/src/accessToken/service.ts

Lines 94 to 103 in d6d65ff

	for (const accessItem of access) {
	const { access: grantAccess } = token.grant
	const foundAccessItem = grantAccess.find((grantAccessItem) =>
	compareRequestAndGrantAccessItems(
	accessItem,
	toOpenPaymentsAccess(grantAccessItem)
	)
	)
	if (!foundAccessItem) {
	return undefined

As a result, the RS's token introspection middleware will always return a Inactive Token error, even though that's not really the case (since the token is active, it's just the grant has incorrect permissions).

Desired behaviour

If an Open Payments client tries to access a resource at the RS and presents an active (non-expired) token but the token does not have the correct access as compared to the request's access, they should see an Insufficient Grant error.

Todo

• In the AS, instead of returning an inactive token introspection response when the access matching up with the request wasn't found (foundAccessItem) , we should return an empty array in the access: { active: true, access: [], ...}
• In the RS token introspection middleware, if the token introspection response includes an active token, but with an empty access list, the RS should return an Insufficient Grant 403 error