Allow client registration from issuer uri with no authorize_endpoint #9795
Labels
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
status: backported
An issue that has been backported to maintenance branches
type: bug
A general bug
Milestone
Uh oh!
There was an error while loading. Please reload this page.
Describe the bug
https://datatracker.ietf.org/doc/html/rfc8414#section-2 states that authorize_endpoint is required unless no grant type requires it. Authorization Server with no support for authorization code grant type may not expose this endpoint in its metadata.
ClientRegistrations.withProviderConfiguration
assume thatmetadata.getAuthorizationEndpointURI()
cannot be null. When this is the case, it will throw ajava.lang.NullPointerException
line 259.authorizationUri(metadata.getAuthorizationEndpointURI().toASCIIString())
.To Reproduce
Use an AS with no authorization_endpoint
Expected behavior
Should not throw an exception until the endpoint is actually used or only if the client grant type requires this endpoint.
The text was updated successfully, but these errors were encountered: