[keycloak-user] Possible Bug in ProtectionService.java while retrieving ClientModel in resource_set endpoint

Hi there, I noticed an unfortunate HTTP 500 Server Error, when requesting the "/protection/resource_set" endpoint of Keycloak. After some debugging it showed, that the retrieval of the ClientModel returned null, because identity.getId() returns an User-ID and not the related Client-ID. Following lines show the current Code vs. my refactored version of org.keycloak.authorization.protection.ProtectionService.resource() (line 60, master-branch) This endpoint is requested by an endusers access-token. Current Code (master-branch), fails: ClientModel client = realm.getClientById(identity.getId()); --> client = null --> identity.getId() = user-ID of the user requesting the Endpoint Refactored Code (works): ClientModel client = realm.getClientByClientId(identity.getAccessToken(). getIssuedFor()); --> client != null --> identity.getAccessToken().getIssuedFor() = ClientID (name of the client) --> calling getClientByClientId() instead of getClientById() Documentation of this endpoint: https://www.keycloak.org/docs/latest/authorization_services/ index.html#_service_protection_resources_api What is the acual purpose of the method "getID()" of KeycloakIdentiy-Class? In my opinion this class should return the ID of a client and not the ID of an user. I am looking forward to your insights regarding this bug. Best regards