Fallback to client_id when cid is missing#3790
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates token validation and refresh-token processing to handle cases where the JWT cid claim is missing (and to better detect conflicting cid vs client_id), improving compatibility with legacy/external tokens.
Changes:
- Update access-token client validation to accept
client_idwhencidis absent and to reject conflicting claims. - Update refresh-token flow to resolve the client ID via
cidwith fallback toclient_id. - Add unit tests covering the new claim-resolution behaviors for both access-token validation and refresh-token exchange.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java |
Adds a refresh-grant test to ensure refresh tokens missing cid but containing client_id can be exchanged. |
server/src/test/java/org/cloudfoundry/identity/uaa/util/JwtTokenSignedByThisUAATest.java |
Adds tests for fallback to client_id, missing both claims, and conflicting claims. |
server/src/main/java/org/cloudfoundry/identity/uaa/util/JwtTokenSignedByThisUAA.java |
Updates checkClient and getClientDetails to consider client_id when cid is missing. |
server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java |
Uses cid with fallback to client_id when validating refresh token ownership and when loading client details / persisting revocable tokens. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| Claims claims = getClaims(refreshTokenClaims); | ||
|
|
||
| // Token client id: prefer cid, fall back to client_id for legacy or external tokens | ||
| String tokenClientId = claims.getCid() != null ? claims.getCid() : claims.getClientId(); |
Comment on lines
+281
to
+282
| String cid = (String) claims.get(CID); | ||
| String clientIdClaim = (String) claims.get(CLIENT_ID); |
Comment on lines
464
to
+467
| String clientId = (String) claims.get(CID); | ||
| if (clientId == null) { | ||
| clientId = (String) claims.get(CLIENT_ID); | ||
| } |
cf-foundation-community-automation
bot
moved this to Inbox
in Foundational Infrastructure Working Group
strehle
approved these changes
Mar 19, 2026
github-project-automation
bot
moved this from Inbox
to Pending Merge | Prioritized
in Foundational Infrastructure Working Group
github-project-automation
bot
moved this from Pending Merge | Prioritized
to Done
in Foundational Infrastructure Working Group
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Handle missing or conflicting
cidandclient_idclaims in token validation