Fix such that `user_id` is only added if user authentication is available

OAuth2Authentication#getPrincipal() used by OAuth2Authentication#getName() defaults to the client id if user authentication is not available. Prior to this fix, an introspection of a client-only access token would result to the user_id also being the client_id. This causes problems when this introspection result is converted into an OAuth2Authentication by a resource server's IntrospectingTokenService -- the user_id is populated with the client_id and so OAuth2Authentication's userAuthentication is populated falsely.
8 years ago · b2fab9642e
1 changed files with 6 additions and 2 deletions
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultIntrospectionResultAssembler.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultIntrospectionResultAssembler.java
@ -92,7 +92,9 @@ public class DefaultIntrospectionResultAssembler implements IntrospectionResultA
 			result.put(SUB, authentication.getName());
 		}
-		result.put(USER_ID, authentication.getName());
+		if(authentication.getUserAuthentication() != null) {
 			result.put(USER_ID, authentication.getUserAuthentication().getName());
 		}
 		result.put(CLIENT_ID, authentication.getOAuth2Request().getClientId());
@ -131,7 +133,9 @@ public class DefaultIntrospectionResultAssembler implements IntrospectionResultA
 			result.put(SUB, authentication.getName());
 		}
-		result.put(USER_ID, authentication.getName());
+		if(authentication.getUserAuthentication() != null) {
 			result.put(USER_ID, authentication.getUserAuthentication().getName());
 		}
 		result.put(CLIENT_ID, authentication.getOAuth2Request().getClientId());