Using client_credentials Grant type with openid scope returns User must be authenticated to issue ID tokens.

Set up an OpenID environment

Send the following request:

curl -X POST -d 'grant_type=client_credentials&scope=openid&client_id=MyClientId&client_secret=password' "http://openam.example.com:58080/openam/oauth2/access_token" -v

Returns

{"error":"server_error","error_description":"User must be authenticated to issue ID tokens."}

OAuth2Provider debug:

WARNING: Error authenticating user against OpenAM:
com.iplanet.sso.SSOException: Invalid session ID.
at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:131)
at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:296)
at org.forgerock.openam.oauth2.OpenAMResourceOwnerSessionValidator.validate(OpenAMResourceOwnerSessionValidator.java:141)
at org.forgerock.openidconnect.OpenIDTokenIssuer.issueToken(OpenIDTokenIssuer.java:82)
at org.forgerock.openam.oauth2.OpenAMScopeValidator.additionalDataToReturnFromTokenEndpoint(OpenAMScopeValidator.java:454)
at org.forgerock.openam.oauth2.OpenAMOAuth2ProviderSettings.additionalDataToReturnFromTokenEndpoint(OpenAMOAuth2ProviderSettings.java:469)
at org.forgerock.oauth2.core.ClientCredentialsGrantTypeHandler.handle(ClientCredentialsGrantTypeHandler.java:84)
at org.forgerock.oauth2.core.GrantTypeHandler.handle(GrantTypeHandler.java:82)
at org.forgerock.oauth2.core.AccessTokenServiceImpl.requestAccessToken(AccessTokenServiceImpl.java:92)
at org.forgerock.oauth2.restlet.TokenEndpointResource.token(TokenEndpointResource.java:87)
at sun.reflect.GeneratedMethodAccessor72.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

Using other scopes (profile) works correctly and get expected output:

{"scope":"profile","expires_in":3599,"token_type":"Bearer","access_token":"db85e5ee-4134-451b-b5cb-e93d00dbd371"}

Using different Grant types for the openid scope works as expected.

Debug attached.