From 17e368435d03c85172598a5681d038d538da7e4c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 9 Feb 2026 03:07:15 +0000
Subject: [PATCH 1/3] Bump com.nimbusds:oauth2-oidc-sdk from 11.26.1 to 11.33

Bumps [com.nimbusds:oauth2-oidc-sdk](https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions) from 11.26.1 to 11.33.
- [Changelog](https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/master/CHANGELOG.txt)
- [Commits](https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/branches/compare/11.33..11.26.1)

---
updated-dependencies:
- dependency-name: com.nimbusds:oauth2-oidc-sdk
  dependency-version: '11.33'
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 gradle/libs.versions.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index beaa857624..e1d7bec5f6 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -21,7 +21,7 @@ com-fasterxml-jackson-jackson-bom = "com.fasterxml.jackson:jackson-bom:2.21.0"
 com-google-inject-guice = "com.google.inject:guice:3.0"
 com-netflix-nebula-nebula-project-plugin = "com.netflix.nebula:nebula-project-plugin:8.2.0"
 com-nimbusds-nimbus-jose-jwt = "com.nimbusds:nimbus-jose-jwt:10.4"
-com-nimbusds-oauth2-oidc-sdk = "com.nimbusds:oauth2-oidc-sdk:11.26.1"
+com-nimbusds-oauth2-oidc-sdk = "com.nimbusds:oauth2-oidc-sdk:11.33"
 com-squareup-okhttp3-mockwebserver = { module = "com.squareup.okhttp3:mockwebserver", version.ref = "com-squareup-okhttp3" }
 com-squareup-okhttp3-okhttp = { module = "com.squareup.okhttp3:okhttp", version.ref = "com-squareup-okhttp3" }
 com-unboundid-unboundid-ldapsdk = "com.unboundid:unboundid-ldapsdk:7.0.4"

From e8e41103346cc7e56947820b7b8c30334ca1699d Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Tue, 10 Feb 2026 10:36:16 -0700
Subject: [PATCH 2/3] Wrap RuntimeException in fromOidcConfiguration

This commit makes so that fromOidcConfiguration throws the same exception
caused by chain as other configuration methods. Specifically, if parsing
throws a RuntimeException, this method will now wrap it in an
IllegalArgumentException as other configuration methods do.

This makes specific sense here since the RuntimeException is almost certainly
caused by a malformed configuration set handed in as a method parameter.

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
---
 .../client/registration/ClientRegistrations.java      | 11 ++++++++++-
 .../client/registration/ClientRegistrationsTests.java |  3 +--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java
index a64ec66627..5e45b1858a 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java
@@ -105,7 +105,7 @@ public final class ClientRegistrations {
 	 * @return the {@link ClientRegistration} built from the configuration
 	 */
 	public static ClientRegistration.Builder fromOidcConfiguration(Map<String, Object> configuration) {
-		OIDCProviderMetadata metadata = parse(configuration, OIDCProviderMetadata::parse);
+		OIDCProviderMetadata metadata = parseInput(configuration, OIDCProviderMetadata::parse);
 		ClientRegistration.Builder builder = withProviderConfiguration(metadata, metadata.getIssuer().getValue());
 		builder.jwkSetUri(metadata.getJWKSetURI().toASCIIString());
 		if (metadata.getUserInfoEndpointURI() != null) {
@@ -292,6 +292,15 @@ public final class ClientRegistrations {
 		throw new IllegalArgumentException(errorMessage);
 	}
 
+	private static <T> T parseInput(Map<String, Object> body, ThrowingFunction<JSONObject, T, ParseException> parser) {
+		try {
+			return parse(body, parser);
+		}
+		catch (RuntimeException ex) {
+			throw new IllegalArgumentException(ex);
+		}
+	}
+
 	private static <T> T parse(Map<String, Object> body, ThrowingFunction<JSONObject, T, ParseException> parser) {
 		try {
 			return parser.apply(new JSONObject(body));
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTests.java
index 0cf1002d56..053743129b 100644
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTests.java
@@ -40,7 +40,6 @@ import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
 import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
-import static org.assertj.core.api.Assertions.assertThatNullPointerException;
 
 /**
  * @author Rob Winch
@@ -475,7 +474,7 @@ public class ClientRegistrationsTests {
 	@Test
 	public void issuerWhenOidcConfigurationResponseMissingJwksUriThenThrowsIllegalArgumentException() throws Exception {
 		this.response.remove("jwks_uri");
-		assertThatNullPointerException().isThrownBy(() -> registration(this.response).build());
+		assertThatIllegalArgumentException().isThrownBy(() -> registration(this.response).build());
 	}
 
 	@Test

From 5418ab208179e01fe4df5d2c4df280b3dbf3eef7 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Tue, 10 Feb 2026 10:36:32 -0700
Subject: [PATCH 3/3] Update nimbus-jose-jwt from 10.4 to 10.6

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
---
 gradle/libs.versions.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index e1d7bec5f6..1780639323 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -20,7 +20,7 @@ ch-qos-logback-logback-classic = "ch.qos.logback:logback-classic:1.5.28"
 com-fasterxml-jackson-jackson-bom = "com.fasterxml.jackson:jackson-bom:2.21.0"
 com-google-inject-guice = "com.google.inject:guice:3.0"
 com-netflix-nebula-nebula-project-plugin = "com.netflix.nebula:nebula-project-plugin:8.2.0"
-com-nimbusds-nimbus-jose-jwt = "com.nimbusds:nimbus-jose-jwt:10.4"
+com-nimbusds-nimbus-jose-jwt = "com.nimbusds:nimbus-jose-jwt:10.6"
 com-nimbusds-oauth2-oidc-sdk = "com.nimbusds:oauth2-oidc-sdk:11.33"
 com-squareup-okhttp3-mockwebserver = { module = "com.squareup.okhttp3:mockwebserver", version.ref = "com-squareup-okhttp3" }
 com-squareup-okhttp3-okhttp = { module = "com.squareup.okhttp3:okhttp", version.ref = "com-squareup-okhttp3" }