We implemented the introspection endpoint from http://tools.ietf.org/html/draft-ietf-oauth-introspection-04
It is now released and some changes were made. We should update our implementation to match up the latest https://tools.ietf.org/html/rfc7662.
In particular, the user_id field has been renamed "username". Renaming it won't be enough, as we actually not respect the purpose of this field:
OPTIONAL. Human-readable identifier for the resource owner who
authorized this token.
what we currently do is:
which has two problems:
- it is duplicating the field sub
- getResourceOwnerId() is returning an id, it's not exactly what we call a human-readable identifier.
Instead, we should return the resource owner username.