Spring Security org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector#issuer does not consider URI but only URL

Describe the bug see:

org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector#issuer

issuer is a URI per rfc7519 and subsequently see in rfc7519 containing the definition of StringOrURI

StringOrURI
      A JSON string value, with the additional requirement that while
      arbitrary string values MAY be used, any value containing a ":"
      character MUST be a URI [RFC3986].  StringOrURI values are
      compared as case-sensitive strings with no transformations or
      canonicalizations applied.

but in the implementation(link provided in the first line)new URL(uri) is used. This won't work for custom schema used in the URI.

To Reproduce Return JWT containin a token.iss = 'myCustomProtocol://example.org'

Expected behavior should not throw Invalid iss value: myCustomProtocol://example.org

Although unusual, any URI is a valid value for the issuer in the JWT returned from the resource server. What is actually the reason not to simply return the uri value as it is?

current

    private URL issuer(String uri) {
        try {
            return new URL(uri);
        }
        catch (Exception ex) {
            throw new OAuth2IntrospectionException(
                    "Invalid " + OAuth2IntrospectionClaimNames.ISSUER + " value: " + uri);
        }
    }

expected

return issuer string as-is

Comment From: marcusdacoregio

Thanks for the report @ayanahm.

This is fixed in the version 5.6.0-M3 of Spring Security, you can take a look at it here https://github.com/spring-projects/spring-security/pull/10175.

You can use the 5.6.0-SNAPSHOT, or the 5.6.0-M3 which will be released today (Sept 20).