Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10610

OAuth2 introspection endpoint should return "username" not user_id

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 13.5.0, 14.0.0
    • Fix Version/s: None
    • Component/s: oauth2
    • Labels:

      Description

      H3. Description

      We implemented the introspection endpoint from http://tools.ietf.org/html/draft-ietf-oauth-introspection-04

      It is now released and some changes were made. We should update our implementation to match up the latest https://tools.ietf.org/html/rfc7662.

      In particular, the user_id field has been renamed "username". Renaming it won't be enough, as we actually not respect the purpose of this field:

      OPTIONAL. Human-readable identifier for the resource owner who
      authorized this token.

      what we currently do is:

                      field(USER_ID, token.getResourceOwnerId()),
      

      which has two problems:

      • it is duplicating the field sub
                        field(OAuth2Constants.JWTTokenParams.SUB, token.getResourceOwnerId()),
        
      • getResourceOwnerId() is returning an id, it's not exactly what we call a human-readable identifier.

      Instead, we should return the resource owner username.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              quentin.castel Quentin CASTEL
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: