RemoteTokenServices.loadAuthentication() should not check for client_id

[mekangas]

Per RFC 6749 (which doesn't address the topic) and RFC 7662 (which explicitly permits this), a valid check token response from the authorization server might not contain a client_id. Therefore, it isn't appropriate for RemoteTokenServices.loadAuthentication() to validate this. Rather, the contents of a token from an otherwise valid (i.e., non-error) response is the business of, say, OAuth2AuthenticationManager.authenticate(). The check currently in place limits the usefulness of RemoteTokenServices, especially for bearer tokens.

[yelhouti]

this is not an improvement but a bug fix, and Google Auth doesn't work with this

[gonzalad]

PR submitted #1020 could it be considered for inclusion please ?
Thanks !

[jgrandja]

@mekangas Yes you are correct, client_id is optional, however, active is required so this needs to be added in #840 along with tests. I've applied these changes and closed your PR in favour of f1a9b97.
Thank you for the report!

[mekangas]

Thanks for taking care of this!

…

On Mon, May 15, 2017 at 12:57 PM, Joe Grandja ***@***.***> wrote: @mekangas <https://github.com/mekangas> Yes you are correct, client_id is optional, however, active is required so this needs to be added in #840 <#840> along with tests. I've applied these changes and closed your PR in favour of f1a9b97 <f1a9b97> . Thank you for the report! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#838 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AUQ9Gej1RKOYoCk6oV95AeS9gpb5VYxQks5r6JIQgaJpZM4Jzv3d> .