token_type_hint is never used

[ninhthuanntnt]

Describe the bug
After calling introspect token endpoint with an access token and token_type_hint is refresh_token, Its response has an "active" field is true.
I found this line of code in OAuth2TokenIntrospectionAuthenticationProvider.
OAuth2Authorization authorization = this.authorizationService.findByToken(tokenIntrospectionAuthentication.getToken(), null);
I think we should use tokenTypeHint in tokenIntrospectionAuthentication instead of null.

To Reproduce
Postman console log:

POST /oauth2/introspect HTTP/1.1
Authorization: Basic bnRudC1vaWRjLWNsaWVudDpudG50LXNlY3JldA==
User-Agent: PostmanRuntime/7.32.2
Accept: */*
Cache-Control: no-cache
Postman-Token: d4b7661f-6efd-4c43-89ed-f078a9ea70a2
Host: 127.0.0.1:8080
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 660
Cookie: JSESSIONID=B19DE6C3D7048805A3FECC3735C82E53
 
token=eyJraWQiOiIwZWUzZjdmMy01YjE1LTRhNTctOGE3ZS1hMWFhNWMwNWI1OWUiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VyMSIsImF1ZCI6Im50bnQtb2lkYy1jbGllbnQiLCJuYmYiOjE2ODYwMzk5NTIsInNjb3BlIjpbIm9wZW5pZCIsInByb2ZpbGUiXSwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo4MDgwIiwiZXhwIjoxNjg2MDQwMjUyLCJpYXQiOjE2ODYwMzk5NTJ9.G9NfW3hWX8KopFG17WfICy_9UQktwDjdjIenybNRkIPQei_93jyLQl02A-iryZ2YlunqOS3f8SEsNTpOubpKVqf0rWh5xnC2om77bNJZ_h98wIYwDgbAJgBOeGS_taP1JQ7hTNK1xs66Q-_H12Q77L_P1eIPpr5pM3vZ_xnRZiYx57oObAWgxZMLQ0Z3P5QlCh5bL2Kjr6C8ILxjB5vdQ7fNkmKZSICe5kx0L33cYvoQ4yMXfRqI7bpinUFAKMYFMxQ8RG6afsEVV58YqMitz9tQi0cnVdf3gPz-HWxU-zSUzcSOknoy-sWWkyggAxp-3yxp0ofepW4HhhkmTpsqow&token_type_hint=refresh_token
 
HTTP/1.1 200 OK
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json
Transfer-Encoding: chunked
Date: Tue, 06 Jun 2023 08:30:27 GMT
Keep-Alive: timeout=60
Connection: keep-alive
 
{"active":true,"sub":"user1","aud":["ntnt-oidc-client"],"nbf":1686039952,"scope":"openid profile","iss":"http://127.0.0.1:8080","exp":1686040252,"iat":1686039952,"client_id":"ntnt-oidc-client","token_type":"Bearer"}

Expected behavior
Be able to check token base on token type hint.

[jgrandja]

@ninhthuanntnt Please see Section 2.1 Introspection Request:

token_type_hint
OPTIONAL. A hint about the type of the token submitted for
introspection. The protected resource MAY pass this parameter to
help the authorization server optimize the token lookup. If the
server is unable to locate the token using the given hint, it MUST
extend its search across all of its supported token types. An
authorization server MAY ignore this parameter, particularly if it
is able to detect the token type automatically. Values for this
field are defined in the "OAuth Token Type Hints" registry defined
in OAuth Token Revocation [RFC7009].

Notice the wording in BOLD. Both OAuth2TokenIntrospectionAuthenticationProvider and OAuth2TokenRevocationAuthenticationProvider ignore the token_type_hint parameter by design.

Please also see gh-175 and this specific comment for further details.

I'm going to close this as implemented by design.