Per RFC 6749 (which doesn't address the topic) and RFC 7662 (which explicitly permits this), a valid _check token_ response from the authorization server might not contain a client_id. Therefore, it isn't appropriate for RemoteTokenServices.loadAuthentication() to validate this. Rather, the contents of a token from an otherwise valid (i.e., non-error) response is the business of, say, OAuth2AuthenticationManager.authenticate(). The check currently in place limits the usefulness of RemoteTokenServices, especially for bearer tokens.
this is not an improvement but a bug fix, and Google Auth doesn't work with this
PR submitted #1020 could it be considered for inclusion please ?
Thanks !
@mekangas Yes you are correct, client_id is optional, however, active is required so this needs to be added in #840 along with tests. I've applied these changes and closed your PR in favour of f1a9b97.
Thank you for the report!
Thanks for taking care of this!
On Mon, May 15, 2017 at 12:57 PM, Joe Grandja notifications@github.com
wrote:
@mekangas https://github.com/mekangas Yes you are correct, client_id is
optional, however, active is required so this needs to be added in #840
https://github.com/spring-projects/spring-security-oauth/pull/840 along
with tests. I've applied these changes and closed your PR in favour of
f1a9b97
https://github.com/spring-projects/spring-security-oauth/commit/f1a9b976389672ff94dfe697d8315256eabc5bf3
.
Thank you for the report!—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/spring-projects/spring-security-oauth/issues/838#issuecomment-301554015,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AUQ9Gej1RKOYoCk6oV95AeS9gpb5VYxQks5r6JIQgaJpZM4Jzv3d
.