I have an application that gets an Access Token from CAS 5.3.9 via the Authorization Code Grant and when I query the /oauth2/profile endpoint using that Access Token, I get a full user profile as expected.
However, when I acquire my Access Token via the Password Grant Type, then I get an almost empty user profile with the client_id as its only content. Like so:
{
"attributes" : { },
"id" : "myClientId"
}
I noticed that a similar issue appears to have been fixed for the 5.3.X branch: https://github.com/apereo/cas/pull/3445
My question: is this the expected behavior? Are there different classes of Access Tokens?
To reproduce, get Access Token first:
curl -X GET -k -i 'https://cas-server:8443/ooscas/oauth2.0/accessToken?grant_type=password&client_id=myClientId&client_secret=secret&username=john&password=johnspassword'
Then get User Profile with the Access Token received:
curl -X GET -k -i 'https://cas-server:8443/ooscas/oauth2.0/profile?access_token=AT-5-xLbu5yX-rh0w4xwZB80vWAisSzfvdB9a'
Apparently this is a bug in CAS, which has been fixed for version 6 only:
https://github.com/apereo/cas/pull/4238
Integrating that patch in my version of CAS solved the problem.