From 48fe5b226fece7b50e57255022efe2b14dfb63b1 Mon Sep 17 00:00:00 2001
From: Martin Nemec <martin.nemec@zauzoo.com>
Date: Thu, 26 Mar 2020 18:30:28 +0100
Subject: [PATCH] OAuth2 ClientRegistrations NPE fix when userinfo missing

Issue gh-8187
---
 .../oauth2/client/registration/ClientRegistrations.java  | 9 ++++++---
 .../client/registration/ClientRegistrationsTest.java     | 8 ++++++++
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java
index 57d10aaadca..c6cbaebf550 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java
@@ -146,9 +146,12 @@ private static Supplier<ClientRegistration.Builder> oidc(URI issuer) {
 			RequestEntity<Void> request = RequestEntity.get(uri).build();
 			Map<String, Object> configuration = rest.exchange(request, typeReference).getBody();
 			OIDCProviderMetadata metadata = parse(configuration, OIDCProviderMetadata::parse);
-			return withProviderConfiguration(metadata, issuer.toASCIIString())
-					.jwkSetUri(metadata.getJWKSetURI().toASCIIString())
-					.userInfoUri(metadata.getUserInfoEndpointURI().toASCIIString());
+			ClientRegistration.Builder builder = withProviderConfiguration(metadata, issuer.toASCIIString())
+					.jwkSetUri(metadata.getJWKSetURI().toASCIIString());
+			if (metadata.getUserInfoEndpointURI() != null) {
+				builder.userInfoUri(metadata.getUserInfoEndpointURI().toASCIIString());
+			}
+			return builder;
 		};
 	}
 
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTest.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTest.java
index 3897870e702..f0bc7737737 100644
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTest.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTest.java
@@ -195,6 +195,14 @@ public void issuerWhenOAuth2ResponseMissingJwksUriThenThenSuccess() throws Excep
 		assertThat(provider.getJwkSetUri()).isNull();
 	}
 
+	// gh-8187
+	@Test
+	public void issuerWhenResponseMissingUserInfoUriThenSuccess() throws Exception {
+		this.response.remove("userinfo_endpoint");
+		ClientRegistration registration = registration("").build();
+		assertThat(registration.getProviderDetails().getUserInfoEndpoint().getUri()).isNull();
+	}
+
 	@Test
 	public void issuerWhenContainsTrailingSlashThenSuccess() throws Exception {
 		assertThat(registration("")).isNotNull();