Merge branch '7.0.x'

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/SpringOpaqueTokenIntrospector.java

@@ -380,11 +380,10 @@ public class SpringOpaqueTokenIntrospector implements OpaqueTokenIntrospector {
 		 * @since 6.5
 		 */
 		public SpringOpaqueTokenIntrospector build() {
+			Assert.notNull(this.clientId, "clientId cannot be null");
+			Assert.notNull(this.clientSecret, "clientSecret cannot be null");
 			RestTemplate restTemplate = new RestTemplate();
-			if (this.clientId != null && this.clientSecret != null) {
+			restTemplate.getInterceptors().add(new BasicAuthenticationInterceptor(this.clientId, this.clientSecret));
-				restTemplate.getInterceptors()
-					.add(new BasicAuthenticationInterceptor(this.clientId, this.clientSecret));
-			}
 			SpringOpaqueTokenIntrospector introspector = new SpringOpaqueTokenIntrospector(this.introspectionUri,
 					restTemplate);
 			this.postProcessors.forEach((postProcessor) -> postProcessor.accept(introspector));

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/SpringReactiveOpaqueTokenIntrospector.java

@@ -334,13 +334,13 @@ public class SpringReactiveOpaqueTokenIntrospector implements ReactiveOpaqueToke
 		 * @since 6.5
 		 */
 		public SpringReactiveOpaqueTokenIntrospector build() {
-			WebClient.Builder builder = WebClient.builder();
+			Assert.notNull(this.clientId, "clientId cannot be null");
-			if (this.clientId != null && this.clientSecret != null) {
+			Assert.notNull(this.clientSecret, "clientSecret cannot be null");
 			String clientId = this.clientId;
 			String clientSecret = this.clientSecret;
-				builder.defaultHeaders((h) -> h.setBasicAuth(clientId, clientSecret));
+			WebClient webClient = WebClient.builder()
-			}
+				.defaultHeaders((h) -> h.setBasicAuth(clientId, clientSecret))
-			WebClient webClient = builder.build();
+				.build();
 			SpringReactiveOpaqueTokenIntrospector introspector = new SpringReactiveOpaqueTokenIntrospector(
 					this.introspectionUri, webClient);
 			this.postProcessors.forEach((postProcessor) -> postProcessor.accept(introspector));

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/SpringOpaqueTokenIntrospectorTests.java

@@ -402,6 +402,13 @@ public class SpringOpaqueTokenIntrospectorTests {
 		}
 	}
 
+	// gh-19201
+	@Test
+	public void builderWhenMissingClientCredentialsThenThrowsException() {
+		assertThatExceptionOfType(IllegalArgumentException.class)
+			.isThrownBy(() -> SpringOpaqueTokenIntrospector.withIntrospectionUri(INTROSPECTION_URL).build());
+	}
+
 	private static ResponseEntity<Map<String, Object>> response(String content) {
 		HttpHeaders headers = new HttpHeaders();
 		headers.setContentType(MediaType.APPLICATION_JSON);

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/SpringReactiveOpaqueTokenIntrospectorTests.java

@@ -328,6 +328,13 @@ public class SpringReactiveOpaqueTokenIntrospectorTests {
 		}
 	}
 
+	// gh-19201
+	@Test
+	public void builderWhenMissingClientCredentialsThenThrowsException() {
+		assertThatExceptionOfType(IllegalArgumentException.class)
+			.isThrownBy(() -> SpringReactiveOpaqueTokenIntrospector.withIntrospectionUri(INTROSPECTION_URL).build());
+	}
+
 	private WebClient mockResponse(String response) {
 		return mockResponse(toMap(response));
 	}