Issue #808 was recently reported that allowed a user to authenticate as a client and obtain an access token via the client_credentials or password grant flow.
This unique scenario occurs when a client and user have the same identifier (clientId and username). The user’s credentials are used for client authentication during a client_credentials or password grant flow and is successful in obtaining an access token with the authorities of the client.
This bug has been fixed in 1ed986a and released in 2.0.11.RELEASE.
If you’re using Java-based configuration, please update to 2.0.11.RELEASE.
However, if you’re using XML-based configuration, please take the following actions:
Update to 2.0.11.RELEASE
Look at this JUnit test and it’s associated XML configuration to ensure the
AuthenticationManagerfor client authentication and the
AuthenticationManagerfor user authentication is setup the same in your configuration.