Spring Security OAuth2 ClientRegistrations NPE when UserInfo endpoint missing

Summary

When using spring-security-oauth2-client to authenticate via an OIDC provider and using OIDC discovery protocol to autoconfigure client registrations there can happen a NPE during the application startup if the userinfo_endpoint is not present in the OIDC configuration response.

Actual Behavior

Doing a call of ClientRegistrations.fromIssuerLocation(String) with an URI of OIDC provider that misses 'userinfo_endpoint' property in it's openid-configuration json causes the NPE on the following line (according to a stack trace from a Spring Boot app):

https://github.com/spring-projects/spring-security/blob/5.2.2.RELEASE/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java#L151

The reason is that metadata.getUserInfoEndpointURI() returns null.

Expected Behavior

The ClientRegistrationBuilder is successfully returned from the fromIssuerLocation method.

Version

• affected versions seem to be 5.2.2 and 5.3.0
• there is no such issue in version 5.2.1

Comment From: jgrandja

Thank you for reporting this @martinnemec3. This is indeed a bug. Would you be interested in submitting a PR for this fix?