Fix such that the OAuth2Authentication returned would have a `null` userAuthentication if `user_id` is not found during introspection

`sub` cannot be used to create the user authentication because it may not necessarily refer to the user. Instead if may refer to the client if the access token happens to be client-only.
2016-10-25 08:21:10 +08:00 · 2016-10-25 08:21:10 +08:00 · d361f01999
parent b2fab9642e
commit d361f01999
1 changed files with 8 additions and 3 deletions
--- a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java
+++ b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java
@ -235,8 +235,13 @@ public class IntrospectingTokenService implements ResourceServerTokenServices {
 		return storedRequest;
 	}

-	private Authentication createAuthentication(JsonObject token) {
-		return new PreAuthenticatedAuthenticationToken(token.get("sub").getAsString(), token, introspectionAuthorityGranter.getAuthorities(token));
+	private Authentication createUserAuthentication(JsonObject token) {
+		JsonElement userId = token.get("user_id");
+		if(userId == null) {
+			return null;
+		}
+
+		return new PreAuthenticatedAuthenticationToken(userId.getAsString(), token, introspectionAuthorityGranter.getAuthorities(token));
 	}

 	private OAuth2AccessToken createAccessToken(final JsonObject token, final String tokenString) {
@ -321,7 +326,7 @@ public class IntrospectingTokenService implements ResourceServerTokenServices {
 				return null;
 			}
 			// create an OAuth2Authentication
-			OAuth2Authentication auth = new OAuth2Authentication(createStoredRequest(tokenResponse), createAuthentication(tokenResponse));
+			OAuth2Authentication auth = new OAuth2Authentication(createStoredRequest(tokenResponse), createUserAuthentication(tokenResponse));
 			// create an OAuth2AccessToken
 			OAuth2AccessToken token = createAccessToken(tokenResponse, accessToken);