Hello, I am using CAS 6.2.5 and I also noticed the same issue. When I make a request to the /introspect endpoint with an access_token as parameter and basic authorization header with client_id:client_secret, the "client-id" claim of the introspect response contains the client_id I passed in the auth header instead of containing the "client_id" which requested the access_token.
I looked at the source code to understand how the introspection response is generated, I am not a java developper, but I think the issue is coming from this line : https://github.com/apereo/cas/blob/9254e2a872c866d7639b46d27d7a67bc6b2ed273/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/support/oauth/web/endpoints/OAuth20IntrospectionEndpointController.java#L129 introspect.setClientId(*service*.getClientId()); should probably be introspect.setClientId(*ticket*.getClientId()); to display the client_id from the access_token passed in parameter. Could someone confirm my diagnosis and suggested fix? Is there a workaround/configuration known by CAS experts? -Frederic On Monday, May 27, 2019 at 5:54:58 PM UTC+2 Thibault C wrote: > Hi! > > Currently, client_id in OIDC and Oauth2 response is the id of the user who > make the introspect request. > > In RFC 7662 (https://tools.ietf.org/html/rfc7662#section-2.2): > >> client_id >> OPTIONAL. Client identifier for the OAuth 2.0 client that >> requested this token. >> >> > How can I open an issue to apereo ? > > Sincerely, > Thibault > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ddfa4c74-4f31-49cc-9ead-110061198dd0n%40apereo.org.
