Our IdP returns the scope claim as JSON Array which is not converted properly by SpringOpaqueTokenIntrospector because of this line: https://github.com/spring-projects/spring-security/blob/feff7476693e47a1b28543521dae2bb79e8a1b3e/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/SpringOpaqueTokenIntrospector.java#L216
But it would work out of the box if SpringOpaqueTokenIntrospector checked for List
Comment From: eleftherias
Thanks for reaching out @DerThanne.
This is not a change we will be making because the introspection RFC states that scope is a string.
Please see #9270 for additional details and the recommended mitigation.