From 2f31de66db5f6bfa6b879a039005959e47df843d Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Mon, 19 Feb 2024 14:45:26 +0100
Subject: [PATCH] Check client when introspection a confidential client token

---
 oauth2.go | 8 ++++++++

diff --git a/oauth2.go b/oauth2.go
index ae6e541939862144617451aed35b05a7013dc522..f6d4ff9ac83f5c31f8dedc2ba607ffebaa1dbc4e 100644
--- a/oauth2.go
+++ b/oauth2.go
@@ -335,6 +335,14 @@ 				return
 			}
 		}
 
+		if client.ID != token.Client {
+			oauthError(w, &oauth2.Error{
+				Code:        oauth2.ErrorCodeInvalidClient,
+				Description: "Invalid client ID or secret",
+			})
+			return
+		}
+
 		user, err := db.FetchUser(ctx, token.User)
 		if err != nil {
 			oauthError(w, fmt.Errorf("failed to fetch user: %v", err))

-- 
2.48.1