Enable null-safety in spring-security-oauth2-client

Closes gh-17819

Author: jgrandja

config/src/test/java/org/springframework/security/config/oauth2/client/ClientRegistrationsBeanDefinitionParserTests.java

@@ -157,7 +157,7 @@ public void parseWhenIssuerUriConfiguredThenRequestConfigFromIssuer() throws Exc
 			.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
 		assertThat(googleRegistration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(googleRegistration.getRedirectUri()).isEqualTo("{baseUrl}/{action}/oauth2/code/{registrationId}");
-		assertThat(googleRegistration.getScopes()).isNull();
+		assertThat(googleRegistration.getScopes()).isEmpty();
 		assertThat(googleRegistration.getClientName()).isEqualTo(serverUrl);
 		ProviderDetails googleProviderDetails = googleRegistration.getProviderDetails();
 		assertThat(googleProviderDetails).isNotNull();

config/src/test/kotlin/org/springframework/security/config/annotation/web/oauth2/login/AuthorizationEndpointDslTests.kt

@@ -73,13 +73,11 @@ class AuthorizationEndpointDslTests {
 
         companion object {
             val RESOLVER: OAuth2AuthorizationRequestResolver = object : OAuth2AuthorizationRequestResolver {
-                override fun resolve(
-                    request: HttpServletRequest?
-                ) = OAuth2AuthorizationRequest.authorizationCode().build()
+                override fun resolve(request: HttpServletRequest) =
+                    OAuth2AuthorizationRequest.authorizationCode().build()
 
-                override fun resolve(
-                    request: HttpServletRequest?, clientRegistrationId: String?
-                ) = OAuth2AuthorizationRequest.authorizationCode().build()
+                override fun resolve(request: HttpServletRequest, clientRegistrationId: String) =
+                    OAuth2AuthorizationRequest.authorizationCode().build()
             }
         }
 

docs/src/test/kotlin/org/springframework/security/kt/docs/features/integrations/rest/configurationwebclient/ServerWebClientHttpInterfaceIntegrationConfiguration.kt

@@ -43,7 +43,7 @@ class ServerWebClientHttpInterfaceIntegrationConfiguration {
     fun securityConfigurer(
         manager: ReactiveOAuth2AuthorizedClientManager?
     ): OAuth2WebClientHttpServiceGroupConfigurer {
-        return OAuth2WebClientHttpServiceGroupConfigurer.from(manager)
+        return OAuth2WebClientHttpServiceGroupConfigurer.from(requireNotNull(manager))
     }
 
     // end::config[]

oauth2/oauth2-client/spring-security-oauth2-client.gradle

@@ -1,5 +1,6 @@
 plugins {
 	id 'javadoc-warnings-error'
+	id 'security-nullability'
 }
 
 apply plugin: 'io.spring.convention.spring-module'

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/AuthorizationCodeOAuth2AuthorizedClientProvider.java

@@ -16,7 +16,8 @@
 
 package org.springframework.security.oauth2.client;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
@@ -47,8 +48,7 @@ public final class AuthorizationCodeOAuth2AuthorizedClientProvider implements OA
 	 * the authorization request
 	 */
 	@Override
-	@Nullable
-	public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
+	public @Nullable OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
 		Assert.notNull(context, "context cannot be null");
 		if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(
 				context.getClientRegistration().getAuthorizationGrantType()) && context.getAuthorizedClient() == null) {

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/AuthorizedClientServiceOAuth2AuthorizedClientManager.java

@@ -21,7 +21,8 @@
 import java.util.Map;
 import java.util.function.Function;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
@@ -113,9 +114,8 @@ public AuthorizedClientServiceOAuth2AuthorizedClientManager(
 					.removeAuthorizedClient(clientRegistrationId, principal.getName()));
 	}
 
-	@Nullable
 	@Override
-	public OAuth2AuthorizedClient authorize(OAuth2AuthorizeRequest authorizeRequest) {
+	public @Nullable OAuth2AuthorizedClient authorize(OAuth2AuthorizeRequest authorizeRequest) {
 		Assert.notNull(authorizeRequest, "authorizeRequest cannot be null");
 		String clientRegistrationId = authorizeRequest.getClientRegistrationId();
 		OAuth2AuthorizedClient authorizedClient = authorizeRequest.getAuthorizedClient();

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ClientCredentialsOAuth2AuthorizedClientProvider.java

@@ -20,7 +20,8 @@
 import java.time.Duration;
 import java.time.Instant;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.RestClientClientCredentialsTokenResponseClient;
@@ -61,8 +62,7 @@ public final class ClientCredentialsOAuth2AuthorizedClientProvider implements OA
 	 * re-authorization) is not supported
 	 */
 	@Override
-	@Nullable
-	public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
+	public @Nullable OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
 		Assert.notNull(context, "context cannot be null");
 		ClientRegistration clientRegistration = context.getClientRegistration();
 		if (!AuthorizationGrantType.CLIENT_CREDENTIALS.equals(clientRegistration.getAuthorizationGrantType())) {
@@ -98,7 +98,8 @@ private OAuth2AccessTokenResponse getTokenResponse(ClientRegistration clientRegi
 	}
 
 	private boolean hasTokenExpired(OAuth2Token token) {
-		return this.clock.instant().isAfter(token.getExpiresAt().minus(this.clockSkew));
+		Instant expiresAt = token.getExpiresAt();
+		return expiresAt != null && this.clock.instant().isAfter(expiresAt.minus(this.clockSkew));
 	}
 
 	/**

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ClientCredentialsReactiveOAuth2AuthorizedClientProvider.java

@@ -89,7 +89,8 @@ public Mono<OAuth2AuthorizedClient> authorize(OAuth2AuthorizationContext context
 	}
 
 	private boolean hasTokenExpired(OAuth2Token token) {
-		return this.clock.instant().isAfter(token.getExpiresAt().minus(this.clockSkew));
+		Instant expiresAt = token.getExpiresAt();
+		return expiresAt != null && this.clock.instant().isAfter(expiresAt.minus(this.clockSkew));
 	}
 
 	/**

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/DelegatingOAuth2AuthorizedClientProvider.java

@@ -21,7 +21,8 @@
 import java.util.Collections;
 import java.util.List;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.util.Assert;
 
 /**
@@ -64,8 +65,7 @@ public DelegatingOAuth2AuthorizedClientProvider(List<OAuth2AuthorizedClientProvi
 	}
 
 	@Override
-	@Nullable
-	public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
+	public @Nullable OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
 		Assert.notNull(context, "context cannot be null");
 		for (OAuth2AuthorizedClientProvider authorizedClientProvider : this.authorizedClientProviders) {
 			OAuth2AuthorizedClient oauth2AuthorizedClient = authorizedClientProvider.authorize(context);

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/InMemoryOAuth2AuthorizedClientService.java

@@ -19,6 +19,8 @@
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
@@ -72,7 +74,7 @@ public InMemoryOAuth2AuthorizedClientService(ClientRegistrationRepository client
 
 	@Override
 	@SuppressWarnings("unchecked")
-	public <T extends OAuth2AuthorizedClient> T loadAuthorizedClient(String clientRegistrationId,
+	public <T extends OAuth2AuthorizedClient> @Nullable T loadAuthorizedClient(String clientRegistrationId,
 			String principalName) {
 		Assert.hasText(clientRegistrationId, "clientRegistrationId cannot be empty");
 		Assert.hasText(principalName, "principalName cannot be empty");