From e78616e38bf356b425799e6373fadb9a6460ce9a Mon Sep 17 00:00:00 2001
From: Krisztian Toth <tkrisztiana@gmail.com>
Date: Wed, 21 Aug 2019 15:35:56 +0200
Subject: [PATCH 1/4] Remove internal Optional usage in favor of null checks

Fixes gh-7155
---
 .../OAuth2ClientConfiguration.java            | 14 ++++---
 .../config/web/server/ServerHttpSecurity.java | 27 ++++++-------
 ...dcClientInitiatedLogoutSuccessHandler.java | 38 +++++++++++--------
 .../registration/ClientRegistrations.java     |  8 ++--
 ...uthorizedClientExchangeFilterFunction.java |  7 ++--
 ...h2IntrospectionAuthenticationProvider.java | 15 ++++----
 ...spectionReactiveAuthenticationManager.java | 15 ++++----
 .../NimbusOpaqueTokenIntrospector.java        | 27 +++++++------
 .../samples/OAuth2LoginApplicationTests.java  | 13 ++++---
 .../csrf/CookieServerCsrfTokenRepository.java | 16 ++++----
 .../transport/HttpsRedirectWebFilter.java     | 12 +++---
 11 files changed, 109 insertions(+), 83 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java
index 532d9078b55..c59e34bcf4c 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java
@@ -71,13 +71,17 @@ static class OAuth2ClientWebMvcSecurityConfiguration implements WebMvcConfigurer
 		@Override
 		public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentResolvers) {
 			if (this.clientRegistrationRepository != null && this.authorizedClientRepository != null) {
-				OAuth2AuthorizedClientProvider authorizedClientProvider =
+				OAuth2AuthorizedClientProviderBuilder authorizedClientProviderBuilder =
 						OAuth2AuthorizedClientProviderBuilder.builder()
 								.authorizationCode()
-								.refreshToken()
-								.clientCredentials(configurer ->
-										Optional.ofNullable(this.accessTokenResponseClient).ifPresent(configurer::accessTokenResponseClient))
-								.build();
+								.refreshToken();
+
+				if (this.accessTokenResponseClient != null) {
+					authorizedClientProviderBuilder.clientCredentials(configurer ->
+									configurer.accessTokenResponseClient(this.accessTokenResponseClient));
+				}
+				OAuth2AuthorizedClientProvider authorizedClientProvider = authorizedClientProviderBuilder.build();
+
 				DefaultOAuth2AuthorizedClientManager authorizedClientManager = new DefaultOAuth2AuthorizedClientManager(
 						this.clientRegistrationRepository, this.authorizedClientRepository);
 				authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
diff --git a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
index 42f6437bd18..fdffdd39a77 100644
--- a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@@ -27,7 +27,6 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Optional;
 import java.util.UUID;
 import java.util.function.Function;
 import java.util.function.Supplier;
@@ -2665,10 +2664,10 @@ public ServerHttpSecurity disable() {
 		}
 
 		protected void configure(ServerHttpSecurity http) {
-			Optional.ofNullable(this.csrfTokenRepository).ifPresent(serverCsrfTokenRepository -> {
-				this.filter.setCsrfTokenRepository(serverCsrfTokenRepository);
-				http.logout().addLogoutHandler(new CsrfServerLogoutHandler(serverCsrfTokenRepository));
-			});
+			if (this.csrfTokenRepository != null) {
+				this.filter.setCsrfTokenRepository(this.csrfTokenRepository);
+				http.logout().addLogoutHandler(new CsrfServerLogoutHandler(this.csrfTokenRepository));
+			}
 			http.addFilterAt(this.filter, SecurityWebFiltersOrder.CSRF);
 		}
 
@@ -3607,19 +3606,21 @@ public ServerHttpSecurity disable() {
 			return and();
 		}
 
-		private Optional<ServerLogoutHandler> createLogoutHandler() {
+		private ServerLogoutHandler createLogoutHandler() {
 			if (this.logoutHandlers.isEmpty()) {
-				return Optional.empty();
-			}
-			else if (this.logoutHandlers.size() == 1) {
-				return Optional.of(this.logoutHandlers.get(0));
+				return null;
+			} else if (this.logoutHandlers.size() == 1) {
+				return this.logoutHandlers.get(0);
+			} else {
+				return new DelegatingServerLogoutHandler(this.logoutHandlers);
 			}
-
-			return Optional.of(new DelegatingServerLogoutHandler(this.logoutHandlers));
 		}
 
 		protected void configure(ServerHttpSecurity http) {
-			createLogoutHandler().ifPresent(this.logoutWebFilter::setLogoutHandler);
+			ServerLogoutHandler logoutHandler = createLogoutHandler();
+			if (logoutHandler != null) {
+				this.logoutWebFilter.setLogoutHandler(logoutHandler);
+			}
 			http.addFilterAt(this.logoutWebFilter, SecurityWebFiltersOrder.LOGOUT);
 		}
 
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandler.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandler.java
index c2cdd764931..70fc970f51a 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandler.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandler.java
@@ -18,7 +18,6 @@
 
 import java.net.URI;
 import java.nio.charset.StandardCharsets;
-import java.util.Optional;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
@@ -52,25 +51,32 @@ public OidcClientInitiatedLogoutSuccessHandler(ClientRegistrationRepository clie
 	@Override
 	protected String determineTargetUrl(HttpServletRequest request,
 			HttpServletResponse response, Authentication authentication) {
+		String targetUrl = null;
+		URI endSessionEndpoint;
+		if (authentication instanceof OAuth2AuthenticationToken && authentication.getPrincipal() instanceof OidcUser) {
+			endSessionEndpoint = this.endSessionEndpoint((OAuth2AuthenticationToken) authentication);
+			if (endSessionEndpoint != null) {
+				targetUrl = endpointUri(endSessionEndpoint, authentication);
+			}
+		}
+		if (targetUrl == null) {
+			targetUrl = super.determineTargetUrl(request, response);
+		}
 
-		return Optional.of(authentication)
-				.filter(OAuth2AuthenticationToken.class::isInstance)
-				.filter(token -> authentication.getPrincipal() instanceof OidcUser)
-				.map(OAuth2AuthenticationToken.class::cast)
-				.flatMap(this::endSessionEndpoint)
-				.map(endSessionEndpoint -> endpointUri(endSessionEndpoint, authentication))
-				.orElseGet(() -> super.determineTargetUrl(request, response));
+		return targetUrl;
 	}
 
-	private Optional<URI> endSessionEndpoint(OAuth2AuthenticationToken token) {
+	private URI endSessionEndpoint(OAuth2AuthenticationToken token) {
 		String registrationId = token.getAuthorizedClientRegistrationId();
-		return Optional.of(
-				this.clientRegistrationRepository.findByRegistrationId(registrationId))
-				.map(ClientRegistration::getProviderDetails)
-				.map(ClientRegistration.ProviderDetails::getConfigurationMetadata)
-				.map(configurationMetadata -> configurationMetadata.get("end_session_endpoint"))
-				.map(Object::toString)
-				.map(URI::create);
+		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId(registrationId);
+		Object endSessionEndpoint = clientRegistration.getProviderDetails().getConfigurationMetadata().get("end_session_endpoint");
+
+		URI result = null;
+		if (endSessionEndpoint != null) {
+			result = URI.create(endSessionEndpoint.toString());
+		}
+
+		return result;
 	}
 
 	private String endpointUri(URI endSessionEndpoint, Authentication authentication) {
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java
index 846d68867cd..071f03cf09f 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java
@@ -21,7 +21,6 @@
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Optional;
 
 import com.nimbusds.oauth2.sdk.GrantType;
 import com.nimbusds.oauth2.sdk.ParseException;
@@ -141,8 +140,11 @@ public static ClientRegistration.Builder fromIssuerLocation(String issuer) {
 		Map<String, Object> configuration = getConfiguration(issuer, oidc(uri), oidcRfc8414(uri), oauth(uri));
 		AuthorizationServerMetadata metadata = parse(configuration, AuthorizationServerMetadata::parse);
 		ClientRegistration.Builder builder = withProviderConfiguration(metadata, issuer);
-		return Optional.ofNullable((String) configuration.get("userinfo_endpoint"))
-				.map(builder::userInfoUri).orElse(builder);
+		String userinfoEndpoint = (String) configuration.get("userinfo_endpoint");
+		if (userinfoEndpoint != null) {
+			builder.userInfoUri(userinfoEndpoint);
+		}
+		return builder;
 	}
 
 	private static URI oidc(URI issuer) {
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java
index c8da1dca427..a041ba69d91 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java
@@ -45,7 +45,6 @@
 import java.time.Duration;
 import java.time.Instant;
 import java.util.Map;
-import java.util.Optional;
 import java.util.function.Consumer;
 
 import static org.springframework.security.oauth2.core.web.reactive.function.OAuth2BodyExtractors.oauth2AccessTokenResponse;
@@ -291,8 +290,10 @@ private Mono<OAuth2AuthorizedClient> authorizeWithRefreshToken(ExchangeFunction
 		return next.exchange(refreshRequest)
 				.flatMap(refreshResponse -> refreshResponse.body(oauth2AccessTokenResponse()))
 				.map(accessTokenResponse -> {
-					OAuth2RefreshToken refreshToken = Optional.ofNullable(accessTokenResponse.getRefreshToken())
-							.orElse(authorizedClient.getRefreshToken());
+					OAuth2RefreshToken refreshToken = accessTokenResponse.getRefreshToken();
+					if (refreshToken == null) {
+						refreshToken = authorizedClient.getRefreshToken();
+					}
 					return new OAuth2AuthorizedClient(authorizedClient.getClientRegistration(), authorizedClient.getPrincipalName(), accessTokenResponse.getAccessToken(), refreshToken);
 				})
 				.flatMap(result -> this.authorizedClientRepository.saveAuthorizedClient(result, authentication, exchange)
diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionAuthenticationProvider.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionAuthenticationProvider.java
index 495a6b49430..3260671ac7d 100644
--- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionAuthenticationProvider.java
+++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionAuthenticationProvider.java
@@ -16,11 +16,11 @@
 package org.springframework.security.oauth2.server.resource.authentication;
 
 import java.time.Instant;
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.List;
 import java.util.Map;
-import java.util.Optional;
-import java.util.stream.Collectors;
 
 import org.springframework.http.HttpStatus;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
@@ -128,11 +128,12 @@ private AbstractAuthenticationToken convert(String token, Map<String, Object> cl
 	}
 
 	private Collection<GrantedAuthority> extractAuthorities(Map<String, Object> claims) {
-		Collection<String> scopes = (Collection<String>) claims.get(SCOPE);
-		return Optional.ofNullable(scopes).orElse(Collections.emptyList())
-				.stream()
-				.map(authority -> new SimpleGrantedAuthority("SCOPE_" + authority))
-				.collect(Collectors.toList());
+		Collection<String> scopes = (Collection<String>) claims.getOrDefault(SCOPE, Collections.emptyList());
+		List<GrantedAuthority> authorities = new ArrayList<>();
+		for (String scope : scopes) {
+			authorities.add(new SimpleGrantedAuthority("SCOPE_" + scope));
+		}
+		return authorities;
 	}
 
 	private static BearerTokenError invalidToken(String message) {
diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionReactiveAuthenticationManager.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionReactiveAuthenticationManager.java
index 3f76d53a29c..eb7205596b7 100644
--- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionReactiveAuthenticationManager.java
+++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionReactiveAuthenticationManager.java
@@ -17,11 +17,11 @@
 package org.springframework.security.oauth2.server.resource.authentication;
 
 import java.time.Instant;
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.List;
 import java.util.Map;
-import java.util.Optional;
-import java.util.stream.Collectors;
 
 import org.springframework.security.oauth2.core.OAuth2TokenAttributes;
 import reactor.core.publisher.Mono;
@@ -108,11 +108,12 @@ private Mono<OAuth2IntrospectionAuthenticationToken> authenticate(String token)
 	}
 
 	private Collection<GrantedAuthority> extractAuthorities(Map<String, Object> claims) {
-		Collection<String> scopes = (Collection<String>) claims.get(SCOPE);
-		return Optional.ofNullable(scopes).orElse(Collections.emptyList())
-				.stream()
-				.map(authority -> new SimpleGrantedAuthority("SCOPE_" + authority))
-				.collect(Collectors.toList());
+		Collection<String> scopes = (Collection<String>) claims.getOrDefault(SCOPE, Collections.emptyList());
+		List<GrantedAuthority> authorities = new ArrayList<>();
+		for (String scope : scopes) {
+			authorities.add(new SimpleGrantedAuthority("SCOPE_" + scope));
+		}
+		return authorities;
 	}
 
 	private static BearerTokenError invalidToken(String message) {
diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOpaqueTokenIntrospector.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOpaqueTokenIntrospector.java
index 3788331c4c9..c870395c2b1 100644
--- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOpaqueTokenIntrospector.java
+++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOpaqueTokenIntrospector.java
@@ -22,7 +22,6 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
-import java.util.Optional;
 import java.util.stream.Collectors;
 
 import com.nimbusds.oauth2.sdk.TokenIntrospectionResponse;
@@ -124,16 +123,22 @@ private MultiValueMap<String, String> requestBody(String token) {
 	 */
 	@Override
 	public Map<String, Object> introspect(String token) {
-		TokenIntrospectionSuccessResponse response = Optional.of(token)
-				.map(this.requestEntityConverter::convert)
-				.map(this::makeRequest)
-				.map(this::adaptToNimbusResponse)
-				.map(this::parseNimbusResponse)
-				.map(this::castToNimbusSuccess)
-				// relying solely on the authorization server to validate this token (not checking 'exp', for example)
-				.filter(TokenIntrospectionSuccessResponse::isActive)
-				.orElseThrow(() -> new OAuth2IntrospectionException("Provided token [" + token + "] isn't active"));
-		return convertClaimsSet(response);
+		RequestEntity<?> requestEntity = this.requestEntityConverter.convert(token);
+		if (requestEntity == null) {
+			throw new OAuth2IntrospectionException("Provided token [" + token + "] isn't active");
+		}
+
+		ResponseEntity<String> responseEntity = makeRequest(requestEntity);
+		HTTPResponse httpResponse = adaptToNimbusResponse(responseEntity);
+		TokenIntrospectionResponse introspectionResponse = parseNimbusResponse(httpResponse);
+		TokenIntrospectionSuccessResponse introspectionSuccessResponse = castToNimbusSuccess(introspectionResponse);
+
+		// relying solely on the authorization server to validate this token (not checking 'exp', for example)
+		if (!introspectionSuccessResponse.isActive()) {
+			throw new OAuth2IntrospectionException("Provided token [" + token + "] isn't active");
+		}
+
+		return convertClaimsSet(introspectionSuccessResponse);
 	}
 
 	/**
diff --git a/samples/boot/oauth2login/src/integration-test/java/org/springframework/security/samples/OAuth2LoginApplicationTests.java b/samples/boot/oauth2login/src/integration-test/java/org/springframework/security/samples/OAuth2LoginApplicationTests.java
index 3e2760c4b1e..e0931503aee 100644
--- a/samples/boot/oauth2login/src/integration-test/java/org/springframework/security/samples/OAuth2LoginApplicationTests.java
+++ b/samples/boot/oauth2login/src/integration-test/java/org/springframework/security/samples/OAuth2LoginApplicationTests.java
@@ -67,7 +67,6 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
-import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
 
@@ -331,10 +330,14 @@ private void assertIndexPage(HtmlPage page) throws Exception {
 	}
 
 	private HtmlAnchor getClientAnchorElement(HtmlPage page, ClientRegistration clientRegistration) {
-		Optional<HtmlAnchor> clientAnchorElement = page.getAnchors().stream()
-				.filter(e -> e.asText().equals(clientRegistration.getClientName())).findFirst();
-
-		return (clientAnchorElement.orElse(null));
+		HtmlAnchor result = null;
+		for (HtmlAnchor anchor: page.getAnchors()) {
+			if (anchor.asText().equals(clientRegistration.getClientName())) {
+				result = anchor;
+				break;
+			}
+		}
+		return result;
 	}
 
 	private WebResponse followLinkDisableRedirects(HtmlAnchor anchorElement) throws Exception {
diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java b/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java
index 9ccedc8666b..f1ed61ee176 100644
--- a/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java
+++ b/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@
 
 package org.springframework.security.web.server.csrf;
 
-import java.util.Optional;
 import java.util.UUID;
 
 import org.springframework.http.HttpCookie;
@@ -69,14 +68,17 @@ public Mono<CsrfToken> generateToken(ServerWebExchange exchange) {
 	@Override
 	public Mono<Void> saveToken(ServerWebExchange exchange, CsrfToken token) {
 		return Mono.fromRunnable(() -> {
-			Optional<String> tokenValue = Optional.ofNullable(token).map(CsrfToken::getToken);
+			String tokenValue = token != null ? token.getToken() : "";
+			int maxAge = !tokenValue.isEmpty() ? -1 : 0;
+			String path = this.cookiePath != null ? this.cookiePath : getRequestContext(exchange.getRequest());
+			boolean secure = exchange.getRequest().getSslInfo() != null;
 
-			ResponseCookie cookie = ResponseCookie.from(this.cookieName, tokenValue.orElse(""))
+			ResponseCookie cookie = ResponseCookie.from(this.cookieName, tokenValue)
 					.domain(this.cookieDomain)
 					.httpOnly(this.cookieHttpOnly)
-					.maxAge(tokenValue.map(val -> -1).orElse(0))
-					.path(Optional.ofNullable(this.cookiePath).orElseGet(() -> getRequestContext(exchange.getRequest())))
-					.secure(Optional.ofNullable(exchange.getRequest().getSslInfo()).map(sslInfo -> true).orElse(false))
+					.maxAge(maxAge)
+					.path(path)
+					.secure(secure)
 					.build();
 
 			exchange.getResponse().addCookie(cookie);
diff --git a/web/src/main/java/org/springframework/security/web/server/transport/HttpsRedirectWebFilter.java b/web/src/main/java/org/springframework/security/web/server/transport/HttpsRedirectWebFilter.java
index 99d72a22be7..41080e2cbe9 100644
--- a/web/src/main/java/org/springframework/security/web/server/transport/HttpsRedirectWebFilter.java
+++ b/web/src/main/java/org/springframework/security/web/server/transport/HttpsRedirectWebFilter.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,7 +17,6 @@
 package org.springframework.security.web.server.transport;
 
 import java.net.URI;
-import java.util.Optional;
 
 import reactor.core.publisher.Mono;
 
@@ -102,10 +101,11 @@ private URI createRedirectUri(ServerWebExchange exchange) {
 				UriComponentsBuilder.fromUri(exchange.getRequest().getURI());
 
 		if (port > 0) {
-			Optional.ofNullable(this.portMapper.lookupHttpsPort(port))
-					.map(builder::port)
-					.orElseThrow(() -> new IllegalStateException(
-							"HTTP Port '" + port + "' does not have a corresponding HTTPS Port"));
+			Integer httpsPort = this.portMapper.lookupHttpsPort(port);
+			if (httpsPort == null) {
+				throw new IllegalStateException("HTTP Port '" + port + "' does not have a corresponding HTTPS Port");
+			}
+			builder.port(httpsPort);
 		}
 
 		return builder.scheme("https").build().toUri();

From 6a4425ca3bacddf897fe8cb9f0a2a7df57b12c87 Mon Sep 17 00:00:00 2001
From: Krisztian Toth <tkrisztiana@gmail.com>
Date: Mon, 26 Aug 2019 09:23:50 +0200
Subject: [PATCH 2/4] Fix possible NPE in
 OidcClientInitiatedLogoutSuccessHandler#endSessionEndpoint

---
 .../logout/OidcClientInitiatedLogoutSuccessHandler.java   | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandler.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandler.java
index 70fc970f51a..0ea7425a81f 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandler.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandler.java
@@ -69,11 +69,13 @@ protected String determineTargetUrl(HttpServletRequest request,
 	private URI endSessionEndpoint(OAuth2AuthenticationToken token) {
 		String registrationId = token.getAuthorizedClientRegistrationId();
 		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId(registrationId);
-		Object endSessionEndpoint = clientRegistration.getProviderDetails().getConfigurationMetadata().get("end_session_endpoint");
 
 		URI result = null;
-		if (endSessionEndpoint != null) {
-			result = URI.create(endSessionEndpoint.toString());
+		if (clientRegistration != null) {
+			Object endSessionEndpoint = clientRegistration.getProviderDetails().getConfigurationMetadata().get("end_session_endpoint");
+			if (endSessionEndpoint != null) {
+				result = URI.create(endSessionEndpoint.toString());
+			}
 		}
 
 		return result;

From f6f437845918291334f8c71f342699d0cd6b8909 Mon Sep 17 00:00:00 2001
From: Krisztian Toth <tkrisztiana@gmail.com>
Date: Mon, 26 Aug 2019 09:24:54 +0200
Subject: [PATCH 3/4] Revert changes in test file

---
 .../samples/OAuth2LoginApplicationTests.java        | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/samples/boot/oauth2login/src/integration-test/java/org/springframework/security/samples/OAuth2LoginApplicationTests.java b/samples/boot/oauth2login/src/integration-test/java/org/springframework/security/samples/OAuth2LoginApplicationTests.java
index e0931503aee..3e2760c4b1e 100644
--- a/samples/boot/oauth2login/src/integration-test/java/org/springframework/security/samples/OAuth2LoginApplicationTests.java
+++ b/samples/boot/oauth2login/src/integration-test/java/org/springframework/security/samples/OAuth2LoginApplicationTests.java
@@ -67,6 +67,7 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
 
@@ -330,14 +331,10 @@ private void assertIndexPage(HtmlPage page) throws Exception {
 	}
 
 	private HtmlAnchor getClientAnchorElement(HtmlPage page, ClientRegistration clientRegistration) {
-		HtmlAnchor result = null;
-		for (HtmlAnchor anchor: page.getAnchors()) {
-			if (anchor.asText().equals(clientRegistration.getClientName())) {
-				result = anchor;
-				break;
-			}
-		}
-		return result;
+		Optional<HtmlAnchor> clientAnchorElement = page.getAnchors().stream()
+				.filter(e -> e.asText().equals(clientRegistration.getClientName())).findFirst();
+
+		return (clientAnchorElement.orElse(null));
 	}
 
 	private WebResponse followLinkDisableRedirects(HtmlAnchor anchorElement) throws Exception {

From 3fef1670f71aef31148c5f9c6c6ab25acf7eb809 Mon Sep 17 00:00:00 2001
From: Krisztian Toth <tkrisztiana@gmail.com>
Date: Mon, 26 Aug 2019 09:28:00 +0200
Subject: [PATCH 4/4] Add missing else branch in
 OAuth2ClientWebMvcSecurityConfiguration#addArgumentResolvers

---
 .../annotation/web/configuration/OAuth2ClientConfiguration.java | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java
index c59e34bcf4c..72b83cb9c12 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java
@@ -79,6 +79,8 @@ public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentRes
 				if (this.accessTokenResponseClient != null) {
 					authorizedClientProviderBuilder.clientCredentials(configurer ->
 									configurer.accessTokenResponseClient(this.accessTokenResponseClient));
+				} else {
+					authorizedClientProviderBuilder.clientCredentials();
 				}
 				OAuth2AuthorizedClientProvider authorizedClientProvider = authorizedClientProviderBuilder.build();