Spring Security Add client authentication to DefaultOAuth2UserService

Expected Behavior

As RFC 7662 states:

the endpoint MUST also require some form of authorization to access this endpoint, such as client authentication as described in OAuth 2.0 [RFC6749] or a separate OAuth 2.0 access token such as the bearer token described in OAuth 2.0 Bearer Token Usage [RFC6750]

The OAuth2 Introspection Endpoint usually require client authentication (Such as the implementation of Spring Authorization Server).

OAuth2 Introspection Endpoint might be used as userinfo endpoint and be used by OAuth2 Client. So is client authentication should be added to DefaultOAuth2UserService?

Current Behavior

Since no client authentication info is carried in OAuth2UserRequest when calling userinfo endpoint. A http 401 will be responsed.

Context

Comment From: jzheaux

You are correct that OAuth2UserService doesn't know about Introspection. As such, if you want to point it at an introspection endpoint, you should also configure its RestTemplate to include the appropriate client headers like so:

RestTemplate rest = new RestTemplate();
rest.setErrorHandler(new OAuth2ErrorResponseErrorHandler());
rest.getInterceptors().add(new BasicAuthenticationInterceptor(clientId, clientSecret));
DefaultOAuth2UserService userService = new DefaultOAuth2UserService();
userService.setRestOperations(rest);

Since /introspection is for verifying token validity, I don't think it's also intended to operate as a user info endpoint. As such, I think that DefaultOAuth2UserService should stay as-is.