For Client Credential Grants, we should not hit the UserInfo REST endpoint (As that is an OpenId Connect-specific endpoint). As a temporary solution (until Spring Security 5.2 migration) we should only hit the UserInfo REST endpoint if a the passed AccessToken is of scope openid.
We should also, slightly expand the PrincipalExtractor and search for properties cid and client_id. That way we have an identifiable moniker e.g. for auditing.
For Client Credential Grants, we should not hit the
UserInfo
REST endpoint (As that is an OpenId Connect-specific endpoint). As a temporary solution (until Spring Security 5.2 migration) we should only hit theUserInfo
REST endpoint if a the passed AccessToken is of scopeopenid
.We should also, slightly expand the
PrincipalExtractor
and search for propertiescid
andclient_id
. That way we have an identifiable moniker e.g. for auditing.