From 85246d2d3ee4a8a9ed91baa93da2b42e77c8a62e Mon Sep 17 00:00:00 2001
From: Bas Verhoeven <b.verhoeven@homewizard.nl>
Date: Mon, 13 Nov 2017 16:46:52 +0100
Subject: [PATCH] Parse 'sub' to identify resource owner

As per https://tools.ietf.org/html/rfc7662#section-2.2 the `sub` key should
identify the resource owner in oauth2 introspection responses.

This change adds support for the `sub` key and will allow the introspection
response of RFC-compliant servers to be parsed.

Will still try `user_id` first as to not break backward compatibility.
---
 .../introspectingfilter/IntrospectingTokenService.java       | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java
index 76eaf2225..ca207d99e 100644
--- a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java
+++ b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java
@@ -244,7 +244,10 @@ public class IntrospectingTokenService implements ResourceServerTokenServices {
 	private Authentication createUserAuthentication(JsonObject token) {
 		JsonElement userId = token.get("user_id");
 		if(userId == null) {
-			return null;
+			userId = token.get("sub");
+			if (userId == null) {
+				return null;
+			}
 		}
 
 		return new PreAuthenticatedAuthenticationToken(userId.getAsString(), token, introspectionAuthorityGranter.getAuthorities(token));