Closed
Description
Describe the bug
https://datatracker.ietf.org/doc/html/rfc8414#section-2 states that authorize_endpoint is required unless no grant type requires it. Authorization Server with no support for authorization code grant type may not expose this endpoint in its metadata.
ClientRegistrations.withProviderConfiguration
assume that metadata.getAuthorizationEndpointURI()
cannot be null. When this is the case, it will throw a java.lang.NullPointerException
line 259 .authorizationUri(metadata.getAuthorizationEndpointURI().toASCIIString())
.
To Reproduce
Use an AS with no authorization_endpoint
Expected behavior
Should not throw an exception until the endpoint is actually used or only if the client grant type requires this endpoint.