NullPointerException in OidcAuthorizationCodeAuthenticationProvider when RestClientAuthorizationCodeTokenResponseClient returns null additionalParameters

[roudi]

Describe the bug
RestClientAuthorizationCodeTokenResponseClient (new default in Spring Security 7.0.0) returns an OAuth2AccessTokenResponse where additionalParameters is null instead of an empty Map. This causes a NullPointerException in OidcAuthorizationCodeAuthenticationProvider.authenticate() at line 149, which calls accessTokenResponse.getAdditionalParameters().containsKey(OidcParameterNames.ID_TOKEN) without a null check.

The legacy DefaultAuthorizationCodeTokenResponseClient (Spring Security 5.x/6.x) always returned a non-null additionalParameters map containing the id_token, so this NPE only surfaces with the new RestClient-based implementation in 7.0.0.

To Reproduce

1. Create a Spring Boot 4.0.0 application with spring-boot-starter-oauth2-client
2. Configure an OIDC provider (e.g., Azure AD / Microsoft Entra ID) with openid scope in application.properties
3. Enable oauth2Login() in your SecurityFilterChain (default configuration, no custom token response client)
4. Access a protected page (browser redirects to Azure AD)
5. Authenticate successfully (Azure AD redirects back with an authorization code)
6. Application exchanges the code for tokens using the default RestClientAuthorizationCodeTokenResponseClient
7. NPE occurs: java.lang.NullPointerException at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.authenticate(OidcAuthorizationCodeAuthenticationProvider.java:149)

Expected behavior
RestClientAuthorizationCodeTokenResponseClient should return an OAuth2AccessTokenResponse with a non-null additionalParameters map (at minimum an empty map, but ideally containing the id_token from the token endpoint response). This would be consistent with the behavior of the previous DefaultAuthorizationCodeTokenResponseClient and would allow OidcAuthorizationCodeAuthenticationProvider to successfully extract the ID token and complete OIDC authentication.

Alternatively, OidcAuthorizationCodeAuthenticationProvider.authenticate() line ~149 should null-check getAdditionalParameters() before calling .containsKey().

Sample

No sample repository provided. The issue is reproducible with any OIDC provider using the default oauth2Login() configuration on Spring Boot 4.0.0 / Spring Security 7.0.0.

[jgrandja]

@roudi

returns an OAuth2AccessTokenResponse where additionalParameters is null instead of an empty Map

I don't see how this is possible since OAuth2AccessTokenResponse.Builder.build() ensures that additionalParameters is never null.

Please provide a minimal sample (or test) that reproduces this issue and I can look into it further.

[roudi]

@jgrandja
Thank you for looking into this. You're right, OAuth2AccessTokenResponse.Builder.build() does guarantee non-null additionalParameters. I apologize for the inaccurate initial analysis.

What actually happened: My application runs on OpenShift behind a corporate HTTP proxy. The default RestClientAuthorizationCodeTokenResponseClient uses RestClient internally, which couldn't reach the token endpoint at login.microsoftonline.com without explicit proxy configuration. The token exchange was failing, and the resulting exception manifested as an NPE in OidcAuthorizationCodeAuthenticationProvider.authenticate().

What fixed it: Replacing the default token response client with a custom RestTemplate-based implementation with explicit proxy configuration. The token exchange succeeds and OIDC authentication completes normally.

I'm closing this issue since my initial diagnosis was incorrect. If the proxy configuration question is worth pursuing separately, I'm happy to open a new feature request. Sorry for the noise.