User Credentials grant doesn't verify user_id vs Client Credentials user_id

[whvandervelde]

When you are using the UserCredentials grant, the default TokenController doesn't check if Client Credentials user_id matches with UserCredentials user_id. This means when you are requesting a token you can use any valid client_id + client_secret and username + password combo to get a valid token for the user(name). Its hard to detect because token response doesn't containing user info, but TokenController should check if user_id's match.

The grantAccessToken in TokenController should probably contain something like this in its grantAccessToken():

if (!$clientInfo = $this->clientStorage->getClientDetails($clientId)) {
    $response->setError(400, 'unauthorized_client', 'The grant type is unauthorized for this client');
    return null;   
}

$userId = $clientInfo['user_id'] ?? null;
$matchUserId = $grantType->getUserId();

if (!isset($userId) || !($userId === $matchUserId)) {
    $response->setError(400, 'unauthorized_client', 'The grant type is unauthorized for this client');
    return null;   
}