diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/oidc/core/IdToken.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/oidc/core/IdToken.java
index b2931f0b14..76314f2879 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/oidc/core/IdToken.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/oidc/core/IdToken.java
@@ -44,11 +44,27 @@ public class IdToken extends SecurityToken implements IdTokenClaimAccessor {
 	public IdToken(String tokenValue, Instant issuedAt, Instant expiresAt, Map<String, Object> claims) {
 		super(tokenValue, issuedAt, expiresAt);
 		Assert.notEmpty(claims, "claims cannot be empty");
-		this.claims = Collections.unmodifiableMap(new LinkedHashMap<>(claims));
+		this.claims = Collections.unmodifiableMap(new LinkedHashMap<>(this.sanitize(claims)));
 	}
 
 	@Override
 	public Map<String, Object> getClaims() {
 		return this.claims;
 	}
+
+	private Map<String, Object> sanitize(Map<String, Object> claims) {
+		// NOTE:
+		// Google's OpenID Connect implementation issues ID Tokens
+		// that omit the required https:// scheme prefix from the iss claim.
+		// This method will apply the required scheme prefix as a temporary workaround
+		// until Google's OpenID Connect implementation is updated.
+		// See http://openid.net/specs/openid-connect-core-1_0.html#GoogleIss
+
+		String iss = (String)claims.get(IdTokenClaim.ISS);
+		if (!iss.startsWith("https://")) {
+			claims = new LinkedHashMap<>(claims);
+			claims.put(IdTokenClaim.ISS, "https://" + iss);
+		}
+		return claims;
+	}
 }