spring-cloud / spring-cloud-common-security-config

A common security infrastructure used by Spring Cloud Data Flow and the projects in its ecosystem
19 stars 32 forks source link

Don't hit UserInfo UAA endpoint for Client Credential Grants #63

Closed ghillert closed 5 years ago

ghillert commented 5 years ago

For Client Credential Grants, we should not hit the UserInfo REST endpoint (As that is an OpenId Connect-specific endpoint). As a temporary solution (until Spring Security 5.2 migration) we should only hit the UserInfo REST endpoint if a the passed AccessToken is of scope openid.

We should also, slightly expand the PrincipalExtractor and search for properties cid and client_id. That way we have an identifiable moniker e.g. for auditing.