Using CLM 6.0.6 with ifix02 and Jazz Authorization Server (JAS).

We have developed a RM service provider and registered it as a client to JAS for single sign-on.

When I navigate Jazz Global Configuration (GC), go to "Project Areas" menu, click on one project area and then click "Explore Project", GC sends a request to our cmServiceProviders resource (that is published in our rootservices document) with an Authorization header containing a Bearer token. Our application queries the JAS userInfo endpoint to get information about this token. An error is return with 400 with this header info: WWW-Authenticate: Bearer error=invalid_request, error_description=CWWKS1619E: A userinfo request was made with an access token that did not have the 'openid' scope. The request URI was /oidc/endpoint/jazzop/userinfo., scope=openid

If I skip the security check for this resource and return the resource to Jazz GC then GC sends another request to oslc:serviceprovider resource (published in the previous document returned) with the same invalid Bearer token.

If I return this resource too then another request comes in for oslc:publisher:application-about resource (published in rootservices document) with the same invalid Bearer token.

After returning all three resources without security check, all the subsequent requests to our service provider comes in with a Another valid Bearer token that passes the security checks. We can open configuration selection dialog from our provider and add streams to the GC streams.

I have two questions:

1. Are we supposed to protect these three resources? (cmServiceProviders & oslc:publisher:application-about published in rootservices and oslc:serviceProvider published in cmserviceProviders document)

2. If yes to question 1 then why the Bearer token sent in Authorization header while opening a GC project area is not being authenticated from the JAS userinfo endpoint?