Spring Security Allow client registration from issuer uri with no authorize_endpoint

Describe the bug https://datatracker.ietf.org/doc/html/rfc8414#section-2 states that authorize_endpoint is required unless no grant type requires it. Authorization Server with no support for authorization code grant type may not expose this endpoint in its metadata.

ClientRegistrations.withProviderConfiguration assume that metadata.getAuthorizationEndpointURI() cannot be null. When this is the case, it will throw a java.lang.NullPointerException line 259 .authorizationUri(metadata.getAuthorizationEndpointURI().toASCIIString()).

To Reproduce Use an AS with no authorization_endpoint

Expected behavior Should not throw an exception until the endpoint is actually used or only if the client grant type requires this endpoint.

Comment From: jgrandja

Thanks for the report @scrocquesel. We'll look into this.

In the meantime, you could workaround this by not configuring the issuer-uri property and instead explicitly configuring all the required ClientRegistration properties.