From b2fab9642ee7502a218ae1330ca90e391a1cda6c Mon Sep 17 00:00:00 2001 From: Sofia Ang Date: Tue, 25 Oct 2016 08:15:11 +0800 Subject: [PATCH] Fix such that `user_id` is only added if user authentication is available OAuth2Authentication#getPrincipal() used by OAuth2Authentication#getName() defaults to the client id if user authentication is not available. Prior to this fix, an introspection of a client-only access token would result to the user_id also being the client_id. This causes problems when this introspection result is converted into an OAuth2Authentication by a resource server's IntrospectingTokenService -- the user_id is populated with the client_id and so OAuth2Authentication's userAuthentication is populated falsely. --- .../service/impl/DefaultIntrospectionResultAssembler.java | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultIntrospectionResultAssembler.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultIntrospectionResultAssembler.java index 7d69ca19d..e630667d2 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultIntrospectionResultAssembler.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultIntrospectionResultAssembler.java @@ -92,7 +92,9 @@ public class DefaultIntrospectionResultAssembler implements IntrospectionResultA result.put(SUB, authentication.getName()); } - result.put(USER_ID, authentication.getName()); + if(authentication.getUserAuthentication() != null) { + result.put(USER_ID, authentication.getUserAuthentication().getName()); + } result.put(CLIENT_ID, authentication.getOAuth2Request().getClientId()); @@ -131,7 +133,9 @@ public class DefaultIntrospectionResultAssembler implements IntrospectionResultA result.put(SUB, authentication.getName()); } - result.put(USER_ID, authentication.getName()); + if(authentication.getUserAuthentication() != null) { + result.put(USER_ID, authentication.getUserAuthentication().getName()); + } result.put(CLIENT_ID, authentication.getOAuth2Request().getClientId());