SpringOpaqueTokenIntrospector.java at method requestBody is hardcoding the "token" as parameter key for passing access token but google introspection URI is accepting only "access_token". This results to always failing even if I will use the goole introspection URI https://oauth2.googleapis.com/tokeninfo?access_token=XYZ or https://www.googleapis.com/oauth2/v3/userinfo?access_token=XYZ

This is the method from SpringOpaqueTokenIntrospector.requestBody private MultiValueMap requestBody(String token) { MultiValueMap body = new LinkedMultiValueMap<>(); body.add("token", token); //Look here, it is always "token" but google expects "access_token" return body; }

This is the introspection URI for google Opaque token https://oauth2.googleapis.com/tokeninfo?access_token=myopaquetokensample https://www.googleapis.com/oauth2/v3/userinfo?access_token=myopaquetokensample JWT token https://oauth2.googleapis.com/tokeninfo?id_token=myjwttokensample

Another concern is google response for opaque token has no 'active' claim. Below is a sample response from google for opaque token using postman as I change the "token" to "access_token"

{ "azp": "55630734-98bub37ohu8e634gcevs1oi6.apps.googleusercontent.com", "aud": "55630734-98bub37ohu8e634gcevs1oi6.apps.googleusercontent.com", "sub": "14940111433031", "scope": "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile openid", "exp": "1702352339", "expires_in": "2086", "email": "blanck.test@gmail.com", "email_verified": "true", "access_type": "online" }

Comment From: jzheaux

SpringOpaqueTokenIntrospector is intended for OAuth 2.0 Introspection Endpoints, but the Google endpoints you've listed are OIDC ID Token endpoints. Please take a look at OidcUserService instead.

Comment From: oexos

but the Google endpoints you've listed are OIDC ID Token endpoints -> you mean those endpoints are not google introspection URI? If so then may I know what is the introspection URI of google?