Spring Security Spring Authorization Server: Missing Principal Attribute in Token Exchange Process Causes ‘invalid_grant’ Error

I’m encountering an issue with the token exchange process in Spring Authorization Server. Specifically, the error occurs in the OAuth2TokenExchangeAuthenticationProvider class during the validation phase:

else if (subjectAuthorization.getAttribute(Principal.class.getName()) == null) {
    throw new OAuth2AuthenticationException("invalid_grant");
}

The problem is that the subjectAuthorization object does not have the Principal attribute set, causing the token exchange request to fail with an invalid_grant error. Here is the flow of my request: 1. Client Credentials Request I make a request to obtain a client access token:

curl --location 'http://localhost:8080/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic Y2xpZW50OnNlY3JldA==' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=user.read'

**2.    Token Exchange Request**

Then, I attempt to exchange this token using the following request:

curl --location 'http://localhost:8080/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic dG9rZW4tY2xpZW50OnRva2Vu' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'subject_token=<client_access_token>' \
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:access_token' \
--data-urlencode 'scope=message.read' \
--data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:access_token'

**3.    Error**

The token exchange fails with the following exception:

OAuth2AuthenticationException: invalid_grant

Upon debugging, I found that subjectAuthorization.getAttribute(Principal.class.getName()) is returning null. According to the Spring Authorization Server’s implementation, this attribute is mandatory for token exchange to validate the subject’s identity.

My Questions: 1. Why is the Principal attribute missing in the subjectAuthorization? Is there a specific configuration or customization required to ensure this attribute is populated? 2. How can I ensure that the Principal is included in the OAuth2Authorization object when issuing the subject_token (access token)? 3. Is there a known workaround or recommended approach to handle this scenario in Spring Authorization Server?

Any help or guidance would be greatly appreciated! Thank you in advance!

Comment From: jgrandja

@vedat-nivorbit Please do not double post. Closing this as a duplicate of spring-authorization-server#1886