OAuth2 method security expression not working with client credentials tokens

[marcioaug]

In UserInfoTokenService (org.springframework.boot.autoconfigure.security.oauth2.resource)

private OAuth2Authentication extractAuthentication(Map<String, Object> map) {
...
        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
                principal, "N/A", authorities);
        token.setDetails(map);
        return new OAuth2Authentication(request, token);

org.springframework.security.oauth2.provide.OAuth2Authentication:

    public OAuth2Authentication(OAuth2Request storedRequest, Authentication userAuthentication) {
        super(userAuthentication == null ? storedRequest.getAuthorities() : userAuthentication.getAuthorities());
        this.storedRequest = storedRequest;
        this.userAuthentication = userAuthentication;
    }

Always sends the userAuthentication , even when the token is obtained by client_crendetials grant type. This causes a fail in OAuth2Authentication

    public boolean isClientOnly() {
        return userAuthentication == null;
    }

Since the userAuthentication will never be null.

[dsyer]

I guess UserInfoTokenServices is completely not designed to handle client credentials tokens (which seems reasonable on the face of it). Maybe it should fail more spectacularly? Can you explain why you need to do this?

[DisastrousFile]

I'm facing the same issue, using the following setup : I have an API gateway based on spring cloud netflix / zuul and I need to check if a request is made by an end user or an application (using the client credentials flow). Currently, the Authenticationis always set as a user authentication. Do I need to subclass UserInfoTokenServices ? I'm on spring boot 1.4.2 and spring cloud Camden.SR7

[snicoll]

@edp0 as mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements. Please ask your question on StackOverflow.