For Client Credential Grants, we should not hit the UserInfo REST endpoint (As that is an OpenId Connect-specific endpoint). As a temporary solution (until Spring Security 5.2 migration) we should only hit the UserInfo REST endpoint if a the passed AccessToken is of scope openid.
We should also, slightly expand the PrincipalExtractor and search for properties cid and client_id. That way we have an identifiable moniker e.g. for auditing.
For Client Credential Grants, we should not hit the
UserInfoREST endpoint (As that is an OpenId Connect-specific endpoint). As a temporary solution (until Spring Security 5.2 migration) we should only hit theUserInfoREST endpoint if a the passed AccessToken is of scopeopenid.We should also, slightly expand the
PrincipalExtractorand search for propertiescidandclient_id. That way we have an identifiable moniker e.g. for auditing.