diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/DefaultMapOAuth2AccessTokenResponseConverter.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/DefaultMapOAuth2AccessTokenResponseConverter.java
index b7fa948551..43facab715 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/DefaultMapOAuth2AccessTokenResponseConverter.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/DefaultMapOAuth2AccessTokenResponseConverter.java
@@ -35,21 +35,21 @@ import org.springframework.util.StringUtils;
  * @since 5.6
  */
 public final class DefaultMapOAuth2AccessTokenResponseConverter
-		implements Converter<Map<String, ?>, OAuth2AccessTokenResponse> {
+		implements Converter<Map<String, Object>, OAuth2AccessTokenResponse> {
 
 	private static final Set<String> TOKEN_RESPONSE_PARAMETER_NAMES = new HashSet<>(
 			Arrays.asList(OAuth2ParameterNames.ACCESS_TOKEN, OAuth2ParameterNames.EXPIRES_IN,
 					OAuth2ParameterNames.REFRESH_TOKEN, OAuth2ParameterNames.SCOPE, OAuth2ParameterNames.TOKEN_TYPE));
 
 	@Override
-	public OAuth2AccessTokenResponse convert(Map<String, ?> source) {
+	public OAuth2AccessTokenResponse convert(Map<String, Object> source) {
 		String accessToken = getParameterValue(source, OAuth2ParameterNames.ACCESS_TOKEN);
 		OAuth2AccessToken.TokenType accessTokenType = getAccessTokenType(source);
 		long expiresIn = getExpiresIn(source);
 		Set<String> scopes = getScopes(source);
 		String refreshToken = getParameterValue(source, OAuth2ParameterNames.REFRESH_TOKEN);
 		Map<String, Object> additionalParameters = new LinkedHashMap<>();
-		for (Map.Entry<String, ?> entry : source.entrySet()) {
+		for (Map.Entry<String, Object> entry : source.entrySet()) {
 			if (!TOKEN_RESPONSE_PARAMETER_NAMES.contains(entry.getKey())) {
 				additionalParameters.put(entry.getKey(), entry.getValue());
 			}
@@ -65,7 +65,7 @@ public final class DefaultMapOAuth2AccessTokenResponseConverter
 		// @formatter:on
 	}
 
-	private static OAuth2AccessToken.TokenType getAccessTokenType(Map<String, ?> tokenResponseParameters) {
+	private static OAuth2AccessToken.TokenType getAccessTokenType(Map<String, Object> tokenResponseParameters) {
 		if (OAuth2AccessToken.TokenType.BEARER.getValue()
 				.equalsIgnoreCase(getParameterValue(tokenResponseParameters, OAuth2ParameterNames.TOKEN_TYPE))) {
 			return OAuth2AccessToken.TokenType.BEARER;
@@ -73,11 +73,11 @@ public final class DefaultMapOAuth2AccessTokenResponseConverter
 		return null;
 	}
 
-	private static long getExpiresIn(Map<String, ?> tokenResponseParameters) {
+	private static long getExpiresIn(Map<String, Object> tokenResponseParameters) {
 		return getParameterValue(tokenResponseParameters, OAuth2ParameterNames.EXPIRES_IN, 0L);
 	}
 
-	private static Set<String> getScopes(Map<String, ?> tokenResponseParameters) {
+	private static Set<String> getScopes(Map<String, Object> tokenResponseParameters) {
 		if (tokenResponseParameters.containsKey(OAuth2ParameterNames.SCOPE)) {
 			String scope = getParameterValue(tokenResponseParameters, OAuth2ParameterNames.SCOPE);
 			return new HashSet<>(Arrays.asList(StringUtils.delimitedListToStringArray(scope, " ")));
@@ -85,12 +85,12 @@ public final class DefaultMapOAuth2AccessTokenResponseConverter
 		return Collections.emptySet();
 	}
 
-	private static String getParameterValue(Map<String, ?> tokenResponseParameters, String parameterName) {
+	private static String getParameterValue(Map<String, Object> tokenResponseParameters, String parameterName) {
 		Object obj = tokenResponseParameters.get(parameterName);
 		return (obj != null) ? obj.toString() : null;
 	}
 
-	private static long getParameterValue(Map<String, ?> tokenResponseParameters, String parameterName,
+	private static long getParameterValue(Map<String, Object> tokenResponseParameters, String parameterName,
 			long defaultValue) {
 		long parameterValue = defaultValue;
 
diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/MapOAuth2AccessTokenResponseConverter.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/MapOAuth2AccessTokenResponseConverter.java
index 5ca008b2fd..4554e7a2f1 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/MapOAuth2AccessTokenResponseConverter.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/MapOAuth2AccessTokenResponseConverter.java
@@ -16,6 +16,7 @@
 
 package org.springframework.security.oauth2.core.endpoint;
 
+import java.util.HashMap;
 import java.util.Map;
 
 import org.springframework.core.convert.converter.Converter;
@@ -33,11 +34,11 @@ import org.springframework.core.convert.converter.Converter;
 public final class MapOAuth2AccessTokenResponseConverter
 		implements Converter<Map<String, String>, OAuth2AccessTokenResponse> {
 
-	private final Converter<Map<String, ?>, OAuth2AccessTokenResponse> delegate = new DefaultMapOAuth2AccessTokenResponseConverter();
+	private final Converter<Map<String, Object>, OAuth2AccessTokenResponse> delegate = new DefaultMapOAuth2AccessTokenResponseConverter();
 
 	@Override
 	public OAuth2AccessTokenResponse convert(Map<String, String> tokenResponseParameters) {
-		return this.delegate.convert(tokenResponseParameters);
+		return this.delegate.convert(new HashMap<>(tokenResponseParameters));
 	}
 
 }
diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/OAuth2AccessTokenResponseHttpMessageConverter.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/OAuth2AccessTokenResponseHttpMessageConverter.java
index 2d0e8da76a..4b5f157495 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/OAuth2AccessTokenResponseHttpMessageConverter.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/OAuth2AccessTokenResponseHttpMessageConverter.java
@@ -64,7 +64,7 @@ public class OAuth2AccessTokenResponseHttpMessageConverter
 	@Deprecated
 	protected Converter<Map<String, String>, OAuth2AccessTokenResponse> tokenResponseConverter = new MapOAuth2AccessTokenResponseConverter();
 
-	private Converter<Map<String, ?>, OAuth2AccessTokenResponse> accessTokenResponseConverter = new DefaultMapOAuth2AccessTokenResponseConverter();
+	private Converter<Map<String, Object>, OAuth2AccessTokenResponse> accessTokenResponseConverter = new DefaultMapOAuth2AccessTokenResponseConverter();
 
 	/**
 	 * @deprecated This field should no longer be used
@@ -152,7 +152,7 @@ public class OAuth2AccessTokenResponseHttpMessageConverter
 	 * @since 5.6
 	 */
 	public final void setAccessTokenResponseConverter(
-			Converter<Map<String, ?>, OAuth2AccessTokenResponse> accessTokenResponseConverter) {
+			Converter<Map<String, Object>, OAuth2AccessTokenResponse> accessTokenResponseConverter) {
 		Assert.notNull(accessTokenResponseConverter, "accessTokenResponseConverter cannot be null");
 		this.accessTokenResponseConverter = accessTokenResponseConverter;
 	}
diff --git a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/DefaultMapOAuth2AccessTokenResponseConverterTests.java b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/DefaultMapOAuth2AccessTokenResponseConverterTests.java
index 5b2c8dc9d8..7b07619d58 100644
--- a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/DefaultMapOAuth2AccessTokenResponseConverterTests.java
+++ b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/DefaultMapOAuth2AccessTokenResponseConverterTests.java
@@ -37,7 +37,7 @@ import org.springframework.security.oauth2.core.OAuth2RefreshToken;
  */
 public class DefaultMapOAuth2AccessTokenResponseConverterTests {
 
-	private Converter<Map<String, ?>, OAuth2AccessTokenResponse> messageConverter;
+	private Converter<Map<String, Object>, OAuth2AccessTokenResponse> messageConverter;
 
 	@BeforeEach
 	public void setup() {
@@ -46,7 +46,7 @@ public class DefaultMapOAuth2AccessTokenResponseConverterTests {
 
 	@Test
 	public void shouldConvertFull() {
-		Map<String, String> map = new HashMap<>();
+		Map<String, Object> map = new HashMap<>();
 		map.put("access_token", "access-token-1234");
 		map.put("token_type", "bearer");
 		map.put("expires_in", "3600");
@@ -78,7 +78,7 @@ public class DefaultMapOAuth2AccessTokenResponseConverterTests {
 
 	@Test
 	public void shouldConvertMinimal() {
-		Map<String, String> map = new HashMap<>();
+		Map<String, Object> map = new HashMap<>();
 		map.put("access_token", "access-token-1234");
 		map.put("token_type", "bearer");
 		OAuth2AccessTokenResponse converted = this.messageConverter.convert(map);
@@ -100,7 +100,7 @@ public class DefaultMapOAuth2AccessTokenResponseConverterTests {
 
 	@Test
 	public void shouldConvertWithUnsupportedExpiresIn() {
-		Map<String, String> map = new HashMap<>();
+		Map<String, Object> map = new HashMap<>();
 		map.put("access_token", "access-token-1234");
 		map.put("token_type", "bearer");
 		map.put("expires_in", "2100-01-01-abc");