github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix such that `user_id` is only added if user authentication is available 

OAuth2Authentication#getPrincipal() used by OAuth2Authentication#getName() defaults to the client id if user authentication is not available.
Prior to this fix, an introspection of a client-only access token would result to the user_id also being the client_id. This causes problems when this
introspection result is converted into an OAuth2Authentication by a resource server's IntrospectingTokenService -- the user_id is populated with
the client_id and so OAuth2Authentication's userAuthentication is populated falsely.
pull/1079/merge
Sofia Ang 2016-10-25 08:15:11 +08:00 committed by Justin Richer
parent 4ac3916db3
commit b2fab9642e
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultIntrospectionResultAssembler.java
View File

@ -92,7 +92,9 @@ public class DefaultIntrospectionResultAssembler implements IntrospectionResultA
result.put(SUB, authentication.getName());
}
result.put(USER_ID, authentication.getName());
if(authentication.getUserAuthentication() != null) {
result.put(USER_ID, authentication.getUserAuthentication().getName());
}
result.put(CLIENT_ID, authentication.getOAuth2Request().getClientId());
@ -131,7 +133,9 @@ public class DefaultIntrospectionResultAssembler implements IntrospectionResultA
result.put(SUB, authentication.getName());
}
result.put(USER_ID, authentication.getName());
if(authentication.getUserAuthentication() != null) {
result.put(USER_ID, authentication.getUserAuthentication().getName());
}
result.put(CLIENT_ID, authentication.getOAuth2Request().getClientId());