Skip to content

Allow client registration from issuer uri with no authorize_endpoint  #9795

Closed
@sclorng

Description

@sclorng

Describe the bug
https://datatracker.ietf.org/doc/html/rfc8414#section-2 states that authorize_endpoint is required unless no grant type requires it. Authorization Server with no support for authorization code grant type may not expose this endpoint in its metadata.

ClientRegistrations.withProviderConfiguration assume that metadata.getAuthorizationEndpointURI() cannot be null. When this is the case, it will throw a java.lang.NullPointerException line 259 .authorizationUri(metadata.getAuthorizationEndpointURI().toASCIIString()).

To Reproduce
Use an AS with no authorization_endpoint

Expected behavior
Should not throw an exception until the endpoint is actually used or only if the client grant type requires this endpoint.

Metadata

Metadata

Assignees

Labels

in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions