Spring Security MappedJwtClaimSetConverter#withDefaults doesn't remove claims from JWT as documented

Describe the bug As stated in Spring Security Documentation, to remove a claim from a JWT just pass a converter for the claim in MappedJwtClaimSetConverter.withDefaults() that return null. Actually this setting doesn't remove the claim from JWT.

I think the problem is in class org.springframework.security.oauth2.core.converter.ClaimTypeConverter, method convert.

    public Map<String, Object> convert(Map<String, Object> claims) {
        if (CollectionUtils.isEmpty(claims)) {
            return claims;
        }

        Map<String, Object> result = new HashMap<>(claims);
        this.claimTypeConverters.forEach((claimName, typeConverter) -> {
            if (claims.containsKey(claimName)) {
                Object claim = claims.get(claimName);
                Object mappedClaim = typeConverter.convert(claim);
                if (mappedClaim != null) {
                    result.put(claimName, mappedClaim);
                }
            }
        });

        return result;
    }

I think that the result map should contain all the mapped claims even if its value is null because null value claims are removed later.

To Reproduce Steps to reproduce: I want to remove the NBF claim from jwt. To do that I set in my jwtdecoder a converter that return null for this claim:

        var jwtDecoder = NimbusJwtDecoder.withJwkSetUri(jwkSetUri).build();
        var converter = MappedJwtClaimSetConverter.withDefaults(Collections.singletonMap(JwtClaimNames.NBF, nbfClaimValue -> null));
        jwtDecoder.setClaimSetConverter(converter);

Expected behavior The decoded JWT doen't contains the NBF claim.

Comment From: jzheaux

I agree, @fguenci. Are you able to submit a PR with the change, including a test in MappedJwtClaimSetConverterTests that matches this use case?

Comment From: fguenci

ok, i'll try