CAS-OIDC ClientId Introspection Response

41 views

Skip to first unread message

Thibault C

unread,

May 27, 2019, 11:54:58 AM5/27/19

to CAS Community

Hi!

Currently, client_id in OIDC and Oauth2 response is the id of the user who make the introspect request.

In RFC 7662 (https://tools.ietf.org/html/rfc7662#section-2.2):

client_id
      OPTIONAL.  Client identifier for the OAuth 2.0 client that
      requested this token.

How can I open an issue to apereo ?

Sincerely,

Thibault

Frédéric Lohier

unread,

Dec 21, 2020, 10:33:49 AM12/21/20

to CAS Community, Thibault C

Hello,

I am using CAS 6.2.5 and I also noticed the same issue.

When I make a request to the /introspect endpoint with an access_token as parameter and basic authorization header with client_id:client_secret, the "client-id" claim of the introspect response contains the client_id I passed in the auth header instead of containing the "client_id" which requested the access_token.

I looked at the source code to understand how the introspection response is generated, I am not a java developper, but I think the issue is coming from this line :

https://github.com/apereo/cas/blob/9254e2a872c866d7639b46d27d7a67bc6b2ed273/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/support/oauth/web/endpoints/OAuth20IntrospectionEndpointController.java#L129

introspect.setClientId(service.getClientId());

should probably be

introspect.setClientId(ticket.getClientId());

to display the client_id from the access_token passed in parameter.

Could someone confirm my diagnosis and suggested fix? Is there a workaround/configuration known by CAS experts?