From bae4cdd7656995e2d844c14a864cf69fa947dae6 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Tue, 24 Mar 2026 13:39:27 -0600
Subject: [PATCH] Adjust for Nullability

Issue gh-18973

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
---
 .../ott/ServerOneTimeTokenAuthenticationConverter.java          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/src/main/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverter.java b/web/src/main/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverter.java
index b96dc705f9..621001f78c 100644
--- a/web/src/main/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverter.java
+++ b/web/src/main/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverter.java
@@ -50,7 +50,7 @@ public final class ServerOneTimeTokenAuthenticationConverter implements ServerAu
 		Assert.notNull(exchange, "exchange cannot be null");
 		if (isFormEncodedRequest(exchange.getRequest())) {
 			return exchange.getFormData()
-				.mapNotNull((data) -> data.getFirst(TOKEN))
+				.flatMap((data) -> Mono.justOrEmpty(data.getFirst(TOKEN)))
 				.map((data) -> OneTimeTokenAuthenticationToken.unauthenticated(data));
 		}
 		String token = resolveTokenFromRequest(exchange.getRequest());