fix: Correct token exchange logic for App2App flows in DefaultIdTokenExtension (#1931)

The isAccessToken() method had inverted logic that prevented proper token exchange
for App2App scenarios. Tokens with a single audience different from the client ID
(aud != azp) now correctly trigger token exchange, while internal tokens (aud == azp)
are properly recognized and skip exchange.

This fixes scenarios where App2App access tokens were incorrectly treated as ID tokens
and bypassed the necessary exchange flow.

Version bumped to 3.6.9 for bugfix release.

Author: NiklasHerrmann21

CHANGELOG.md

@@ -1,6 +1,10 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## 3.6.9
+
+- Fix token exchange logic in `DefaultIdTokenExtension` to correctly identify App2App tokens that require exchange (where `aud` contains a single audience different from `azp`)
+
 ## 3.6.8
 
 - Fix hybrid authentication issue where IAS Configuration was incorrectly used for XSUAA token exchange instead of XSUAA Configuration in `HybridIdentityServicesAutoConfiguration`

README.md

@@ -220,7 +220,7 @@ The SAP Cloud Security Services Integration is published to maven central: https
         <dependency>
             <groupId>com.sap.cloud.security</groupId>
             <artifactId>java-bom</artifactId>
-            <version>3.6.8</version>
+            <version>3.6.9</version>
             <scope>import</scope>
             <type>pom</type>
         </dependency>

bom/pom.xml

@@ -8,7 +8,7 @@
 
     <groupId>com.sap.cloud.security</groupId>
     <artifactId>java-bom</artifactId>
-    <version>3.6.8</version>
+    <version>3.6.9</version>
     <packaging>pom</packaging>
     <name>java-bom</name>
 

env/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>com.sap.cloud.security.xsuaa</groupId>
         <artifactId>parent</artifactId>
-        <version>3.6.8</version>
+        <version>3.6.9</version>
     </parent>
 
     <groupId>com.sap.cloud.security</groupId>

java-api/README.md

@@ -5,6 +5,6 @@
 <dependency>
     <groupId>com.sap.cloud.security</groupId>
     <artifactId>java-api</artifactId>
-    <version>3.6.8</version>
+    <version>3.6.9</version>
 </dependency>
 ```

java-api/pom.xml

@@ -9,7 +9,7 @@
 	<parent>
 		<groupId>com.sap.cloud.security.xsuaa</groupId>
 		<artifactId>parent</artifactId>
-		<version>3.6.8</version>
+		<version>3.6.9</version>
 	</parent>
 
 	<groupId>com.sap.cloud.security</groupId>

java-security-it/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <artifactId>parent</artifactId>
         <groupId>com.sap.cloud.security.xsuaa</groupId>
-        <version>3.6.8</version>
+        <version>3.6.9</version>
     </parent>
 
     <artifactId>java-security-it</artifactId>

java-security-test/README.md

@@ -40,7 +40,7 @@ It is pre-configured with a security filter that only accepts valid tokens. Furt
 <dependency>
     <groupId>com.sap.cloud.security</groupId>
    <artifactId>java-security-test</artifactId>
-      <version>3.6.8</version>
+      <version>3.6.9</version>
    <scope>test</scope>
 </dependency>
 ```

java-security-test/pom.xml

@@ -9,7 +9,7 @@
 	<parent>
 		<groupId>com.sap.cloud.security.xsuaa</groupId>
 		<artifactId>parent</artifactId>
-		<version>3.6.8</version>
+		<version>3.6.9</version>
 	</parent>
 
 	<groupId>com.sap.cloud.security</groupId>

java-security/README.md

@@ -69,7 +69,7 @@ Since it requires the Tomcat 10 runtime, it needs to be deployed using the [SAP
 <dependency>
     <groupId>com.sap.cloud.security</groupId>
     <artifactId>java-security</artifactId>
-    <version>3.6.8</version>
+    <version>3.6.9</version>
 </dependency>
 <dependency>
     <groupId>org.apache.httpcomponents</groupId>