From 4ccdd2baf4d3df8324fdd663144053142e88d70d Mon Sep 17 00:00:00 2001
From: Joe Grandja <jgrandja@vmware.com>
Date: Thu, 23 Sep 2021 06:25:07 -0400
Subject: [PATCH] OAuth2TokenIntrospectionAuthenticationProvider checks for
 null issuer

Closes gh-438
---
 .../OAuth2TokenIntrospectionAuthenticationProvider.java     | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenIntrospectionAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenIntrospectionAuthenticationProvider.java
index 46ccd503..435b9925 100644
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenIntrospectionAuthenticationProvider.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenIntrospectionAuthenticationProvider.java
@@ -15,6 +15,7 @@
  */
 package org.springframework.security.oauth2.server.authorization.authentication;
 
+import java.net.URL;
 import java.time.Instant;
 import java.util.List;
 import java.util.Map;
@@ -134,7 +135,10 @@ public final class OAuth2TokenIntrospectionAuthenticationProvider implements Aut
 				if (!CollectionUtils.isEmpty(audience)) {
 					tokenClaims.audiences(audiences -> audiences.addAll(audience));
 				}
-				tokenClaims.issuer(jwtClaims.getIssuer().toExternalForm());
+				URL issuer = jwtClaims.getIssuer();
+				if (issuer != null) {
+					tokenClaims.issuer(issuer.toExternalForm());
+				}
 				String jti = jwtClaims.getId();
 				if (StringUtils.hasText(jti)) {
 					tokenClaims.id(jti);