fix: simplify iss claim validation and add test for blank issuer

Author: ramesh-nair-dev

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2TokenIntrospection.java

@@ -327,24 +327,10 @@ private void acceptClaimValues(String name, Consumer<List<String>> valuesConsume
 		}
 
 		private static void validateIssuer(Object url, String errorMessage) {
-			if (URL.class.isAssignableFrom(url.getClass())) {
-				return;
-			}
-
 			String str = url.toString();
-			if (str.isEmpty()) {
+			if (str.isBlank()) {
 				throw new IllegalArgumentException(errorMessage);
 			}
-
-			try {
-				// Try parsing as URI
-				new URI(str);
-				// If this succeeds, it’s a valid URI
-			}
-			catch (Exception ex) {
-				// If parsing fails, allow plain string (fix for iss claim)
-				// Only log/debug if needed, no exception thrown
-			}
 		}
 
 	}

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/OAuth2TokenIntrospectionTests.java

@@ -5,24 +5,28 @@
 
 import java.util.List;
 
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatCode;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
 public class OAuth2TokenIntrospectionTests {
 
 	@Test
 	void buildWhenIssuerIsNonUriStringThenDoesNotThrow() {
 		String issuer = "client-id-123"; // plain string, not a URI
 
-		org.assertj.core.api.Assertions.assertThatCode(() -> {
+		assertThatCode(() -> {
 			OAuth2TokenIntrospection token =
 					OAuth2TokenIntrospection.builder(true)
 							.issuer(issuer)
 							.subject("user-123")
 							.build();
 
 			Object issClaim = token.getClaim(OAuth2TokenIntrospectionClaimNames.ISS);
-			org.assertj.core.api.Assertions.assertThat(issClaim).isEqualTo(issuer);
+			assertThat(issClaim).isEqualTo(issuer);
 
 			Object activeClaim = token.getClaim(OAuth2TokenIntrospectionClaimNames.ACTIVE);
-			org.assertj.core.api.Assertions.assertThat(activeClaim).isEqualTo(true);
+			assertThat(activeClaim).isEqualTo(true);
 		}).doesNotThrowAnyException();
 	}
 
@@ -37,10 +41,10 @@ void buildWhenIssuerIsValidUriThenAcceptsIssuer() {
 						.build();
 
 		Object issClaim = token.getClaim(OAuth2TokenIntrospectionClaimNames.ISS);
-		org.assertj.core.api.Assertions.assertThat(issClaim).isEqualTo(issuer);
+		assertThat(issClaim).isEqualTo(issuer);
 
 		Object activeClaim = token.getClaim(OAuth2TokenIntrospectionClaimNames.ACTIVE);
-		org.assertj.core.api.Assertions.assertThat(activeClaim).isEqualTo(true);
+		assertThat(activeClaim).isEqualTo(true);
 	}
 
 	@Test
@@ -52,6 +56,18 @@ void buildWithMultipleScopes() {
 						.build();
 
 		List<String> scopes = (List<String>) token.getClaim(OAuth2TokenIntrospectionClaimNames.SCOPE);
-		org.assertj.core.api.Assertions.assertThat(scopes).containsExactly("read", "write");
+		assertThat(scopes).containsExactly("read", "write");
+	}
+
+	@Test
+	void buildWhenIssuerIsBlankThenThrowsException() {
+		String issuer = "   "; // blank string
+
+		assertThatThrownBy(() ->
+				OAuth2TokenIntrospection.builder(true)
+						.issuer(issuer)
+						.subject("user-123")
+						.build()
+		).isInstanceOf(IllegalArgumentException.class);
 	}
 }