Spring Security WebSessionServerOAuth2AuthorizedClientRepository throws NPE when session is null

Describe the bug This line session.getAttributes()throws NPE, if we have WebSession bean configuration like this to disable WebSession:

@Bean
    fun webSessionManager(): WebSessionManager {
        // Emulate SessionCreationPolicy.STATELESS
        return WebSessionManager { exchange: ServerWebExchange? -> Mono.empty() }
    }
 ``` 


**Expected behavior**
I thing we may do null-safety when we are trying to call getAuthorizedClients in [this place](https://github.com/spring-projects/spring-security/blob/main/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/WebSessionServerOAuth2AuthorizedClientRepository.java#L99) with nullable session.

**Configuration**
Spring Cloud Gateway.

@Bean fun authorizedClientManager( clientRegistrationRepository: ReactiveClientRegistrationRepository, authorizedClientRepository: ServerOAuth2AuthorizedClientRepository ): ReactiveOAuth2AuthorizedClientManager { val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder .builder() .clientCredentials() .build() val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager( clientRegistrationRepository, authorizedClientRepository ) authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider) return authorizedClientManager }

@Bean
fun springSecurityFilterChainNonProd(
    httpSecurity: ServerHttpSecurity,
    someIntrospector: SomeIntrospector,
): SecurityWebFilterChain? {
    return httpSecurity
        .cors(Customizer.withDefaults())
        .authorizeExchange { auth ->
            auth.anyExchange().authenticated()
        }
        .oauth2ResourceServer { oauth2 ->
            oauth2.opaqueToken {
                it.introspector(someIntrospector)
            }
        }
        .csrf { csrf -> csrf.disable() }
        .logout { logout -> logout.disable() }
        .build()
}




**Comment From: sjohnr**

@akovalyev, thanks for reaching out!

I want to point out that the javadoc for `WebSessionManager` states:

Return the {@link WebSession} for the given exchange. Always guaranteed to return an instance either matching to the session id requested by the client, or a new session either because the client did not specify one or because the underlying session expired. ```

Your configuration does not honor the contract and therefore the issue is in your application. I'm happy to help you find a way to support your use case, but we prefer to use GitHub issues only for bugs and enhancements, so it would be best to ask a question on Stack Overflow and update this issue with a link to the question (so that other people can find it).

I'm going to close this issue for now with the above explanation.