spring-projects · paulvas · Jan 16, 2026
diff --git a/...ringframework/security/oauth2/client/AuthorizationCodeOAuth2AuthorizedClientProvider.java b/...ringframework/security/oauth2/client/AuthorizationCodeOAuth2AuthorizedClientProvider.java
@@ -16,7 +16,8 @@
 
 package org.springframework.security.oauth2.client;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
@@ -47,8 +48,7 @@ public final class AuthorizationCodeOAuth2AuthorizedClientProvider implements OA
 	 * the authorization request
 	 */
 	@Override
-	@Nullable
-	public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
+	@Nullable public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
 		Assert.notNull(context, "context cannot be null");
 		if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(
 				context.getClientRegistration().getAuthorizationGrantType()) && context.getAuthorizedClient() == null) {

diff --git a/...ramework/security/oauth2/client/AuthorizedClientServiceOAuth2AuthorizedClientManager.java b/...ramework/security/oauth2/client/AuthorizedClientServiceOAuth2AuthorizedClientManager.java
@@ -21,7 +21,8 @@
 import java.util.Map;
 import java.util.function.Function;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;

diff --git a/...ringframework/security/oauth2/client/ClientCredentialsOAuth2AuthorizedClientProvider.java b/...ringframework/security/oauth2/client/ClientCredentialsOAuth2AuthorizedClientProvider.java
@@ -20,7 +20,8 @@
 import java.time.Duration;
 import java.time.Instant;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.RestClientClientCredentialsTokenResponseClient;
@@ -61,8 +62,7 @@ public final class ClientCredentialsOAuth2AuthorizedClientProvider implements OA
 	 * re-authorization) is not supported
 	 */
 	@Override
-	@Nullable
-	public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
+	@Nullable public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
 		Assert.notNull(context, "context cannot be null");
 		ClientRegistration clientRegistration = context.getClientRegistration();
 		if (!AuthorizationGrantType.CLIENT_CREDENTIALS.equals(clientRegistration.getAuthorizationGrantType())) {
@@ -98,7 +98,12 @@ private OAuth2AccessTokenResponse getTokenResponse(ClientRegistration clientRegi
 	}
 
 	private boolean hasTokenExpired(OAuth2Token token) {
-		return this.clock.instant().isAfter(token.getExpiresAt().minus(this.clockSkew));
+		// Capture the expiration time in a local variable to ensure:
+		// 1. Thread safety: The value cannot change between the null check and its use.
+		// 2. Static analysis: Prevents IDEs (like VS Code/Eclipse) from reporting a
+		// potential NullPointerException on the second call.
+		Instant expiresAt = token.getExpiresAt();
+		return expiresAt != null && this.clock.instant().isAfter(expiresAt.minus(this.clockSkew));
 	}
 
 	/**

diff --git a/...ework/security/oauth2/client/ClientCredentialsReactiveOAuth2AuthorizedClientProvider.java b/...ework/security/oauth2/client/ClientCredentialsReactiveOAuth2AuthorizedClientProvider.java
@@ -89,7 +89,12 @@ public Mono<OAuth2AuthorizedClient> authorize(OAuth2AuthorizationContext context
 	}
 
 	private boolean hasTokenExpired(OAuth2Token token) {
-		return this.clock.instant().isAfter(token.getExpiresAt().minus(this.clockSkew));
+		// Capture the expiration time in a local variable to ensure:
+		// 1. Thread safety: The value cannot change between the null check and its use.
+		// 2. Static analysis: Prevents IDEs (like VS Code/Eclipse) from reporting a
+		// potential NullPointerException on the second call.
+		Instant expiresAt = token.getExpiresAt();
+		return expiresAt != null && this.clock.instant().isAfter(expiresAt.minus(this.clockSkew));
 	}
 
 	/**

diff --git a/.../org/springframework/security/oauth2/client/DelegatingOAuth2AuthorizedClientProvider.java b/.../org/springframework/security/oauth2/client/DelegatingOAuth2AuthorizedClientProvider.java
@@ -21,7 +21,8 @@
 import java.util.Collections;
 import java.util.List;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.util.Assert;
 
 /**
@@ -64,8 +65,7 @@ public DelegatingOAuth2AuthorizedClientProvider(List<OAuth2AuthorizedClientProvi
 	}
 
 	@Override
-	@Nullable
-	public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
+	@Nullable public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
 		Assert.notNull(context, "context cannot be null");
 		for (OAuth2AuthorizedClientProvider authorizedClientProvider : this.authorizedClientProviders) {
 			OAuth2AuthorizedClient oauth2AuthorizedClient = authorizedClientProvider.authorize(context);

diff --git a/...a/org/springframework/security/oauth2/client/JwtBearerOAuth2AuthorizedClientProvider.java b/...a/org/springframework/security/oauth2/client/JwtBearerOAuth2AuthorizedClientProvider.java
@@ -21,7 +21,8 @@
 import java.time.Instant;
 import java.util.function.Function;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.oauth2.client.endpoint.JwtBearerGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.RestClientJwtBearerTokenResponseClient;
@@ -65,8 +66,7 @@ public final class JwtBearerOAuth2AuthorizedClientProvider implements OAuth2Auth
 	 * supported
 	 */
 	@Override
-	@Nullable
-	public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
+	@Nullable public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
 		Assert.notNull(context, "context cannot be null");
 		ClientRegistration clientRegistration = context.getClientRegistration();
 		if (!AuthorizationGrantType.JWT_BEARER.equals(clientRegistration.getAuthorizationGrantType())) {
@@ -118,7 +118,12 @@ private OAuth2AccessTokenResponse getTokenResponse(ClientRegistration clientRegi
 	}
 
 	private boolean hasTokenExpired(OAuth2Token token) {
-		return this.clock.instant().isAfter(token.getExpiresAt().minus(this.clockSkew));
+		// Capture the expiration time in a local variable to ensure:
+		// 1. Thread safety: The value cannot change between the null check and its use.
+		// 2. Static analysis: Prevents IDEs (like VS Code/Eclipse) from reporting a
+		// potential NullPointerException on the second call.
+		Instant expiresAt = token.getExpiresAt();
+		return expiresAt != null && this.clock.instant().isAfter(expiresAt.minus(this.clockSkew));
 	}
 
 	/**

diff --git a/...ringframework/security/oauth2/client/JwtBearerReactiveOAuth2AuthorizedClientProvider.java b/...ringframework/security/oauth2/client/JwtBearerReactiveOAuth2AuthorizedClientProvider.java
@@ -113,7 +113,12 @@ private Mono<Jwt> resolveJwtAssertion(OAuth2AuthorizationContext context) {
 	}
 
 	private boolean hasTokenExpired(OAuth2Token token) {
-		return this.clock.instant().isAfter(token.getExpiresAt().minus(this.clockSkew));
+		// Capture the expiration time in a local variable to ensure:
+		// 1. Thread safety: The value cannot change between the null check and its use.
+		// 2. Static analysis: Prevents IDEs (like VS Code/Eclipse) from reporting a
+		// potential NullPointerException on the second call.
+		Instant expiresAt = token.getExpiresAt();
+		return expiresAt != null && this.clock.instant().isAfter(expiresAt.minus(this.clockSkew));
 	}
 
 	/**

diff --git a/.../src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizationContext.java b/.../src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizationContext.java
@@ -22,7 +22,8 @@
 import java.util.Map;
 import java.util.function.Consumer;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.util.Assert;
@@ -74,8 +75,7 @@ public ClientRegistration getClientRegistration() {
 	 * @return the {@link OAuth2AuthorizedClient} or {@code null} if the client
 	 * registration was supplied
 	 */
-	@Nullable
-	public OAuth2AuthorizedClient getAuthorizedClient() {
+	@Nullable public OAuth2AuthorizedClient getAuthorizedClient() {
 		return this.authorizedClient;
 	}
 

diff --git a/...ient/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizeRequest.java b/...ient/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizeRequest.java
@@ -23,7 +23,8 @@
 import java.util.Map;
 import java.util.function.Consumer;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
@@ -67,8 +68,7 @@ public String getClientRegistrationId() {
 	 * was not provided.
 	 * @return the {@link OAuth2AuthorizedClient} or {@code null} if it was not provided
 	 */
-	@Nullable
-	public OAuth2AuthorizedClient getAuthorizedClient() {
+	@Nullable public OAuth2AuthorizedClient getAuthorizedClient() {
 		return this.authorizedClient;
 	}
 

diff --git a/...ient/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClient.java b/...ient/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClient.java
@@ -18,7 +18,8 @@
 
 import java.io.Serializable;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2RefreshToken;

diff --git a/...c/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientManager.java b/...c/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientManager.java
@@ -16,7 +16,8 @@
 
 package org.springframework.security.oauth2.client;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
 
@@ -62,7 +63,6 @@ public interface OAuth2AuthorizedClientManager {
 	 * @return the {@link OAuth2AuthorizedClient} or {@code null} if authorization is not
 	 * supported for the specified client
 	 */
-	@Nullable
-	OAuth2AuthorizedClient authorize(OAuth2AuthorizeRequest authorizeRequest);
+	@Nullable OAuth2AuthorizedClient authorize(OAuth2AuthorizeRequest authorizeRequest);
 
 }
diff --git a/.../main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProvider.java b/.../main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProvider.java
@@ -16,7 +16,8 @@
 
 package org.springframework.security.oauth2.client;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 
@@ -46,7 +47,6 @@ public interface OAuth2AuthorizedClientProvider {
 	 * @return the {@link OAuth2AuthorizedClient} or {@code null} if authorization is not
 	 * supported for the specified client
 	 */
-	@Nullable
-	OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context);
+	@Nullable OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context);
 
 }
diff --git a/...rg/springframework/security/oauth2/client/RefreshTokenOAuth2AuthorizedClientProvider.java b/...rg/springframework/security/oauth2/client/RefreshTokenOAuth2AuthorizedClientProvider.java
@@ -24,9 +24,10 @@
 import java.util.HashSet;
 import java.util.Set;
 
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.ApplicationEventPublisherAware;
-import org.springframework.lang.Nullable;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2RefreshTokenGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.RestClientRefreshTokenTokenResponseClient;
@@ -78,8 +79,7 @@ public final class RefreshTokenOAuth2AuthorizedClientProvider
 	 * not supported
 	 */
 	@Override
-	@Nullable
-	public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
+	@Nullable public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
 		Assert.notNull(context, "context cannot be null");
 		OAuth2AuthorizedClient authorizedClient = context.getAuthorizedClient();
 		if (authorizedClient == null || authorizedClient.getRefreshToken() == null
@@ -123,7 +123,8 @@ private OAuth2AccessTokenResponse getTokenResponse(OAuth2AuthorizedClient author
 	}
 
 	private boolean hasTokenExpired(OAuth2Token token) {
-		return this.clock.instant().isAfter(token.getExpiresAt().minus(this.clockSkew));
+		Instant expiresAt = token.getExpiresAt();
+		return expiresAt != null && this.clock.instant().isAfter(expiresAt.minus(this.clockSkew));
 	}
 
 	/**

diff --git a/...gframework/security/oauth2/client/RefreshTokenReactiveOAuth2AuthorizedClientProvider.java b/...gframework/security/oauth2/client/RefreshTokenReactiveOAuth2AuthorizedClientProvider.java
@@ -101,7 +101,8 @@ public Mono<OAuth2AuthorizedClient> authorize(OAuth2AuthorizationContext context
 	}
 
 	private boolean hasTokenExpired(OAuth2Token token) {
-		return this.clock.instant().isAfter(token.getExpiresAt().minus(this.clockSkew));
+		Instant expiresAt = token.getExpiresAt();
+		return expiresAt != null && this.clock.instant().isAfter(expiresAt.minus(this.clockSkew));
 	}
 
 	/**

diff --git a/...g/springframework/security/oauth2/client/TokenExchangeOAuth2AuthorizedClientProvider.java b/...g/springframework/security/oauth2/client/TokenExchangeOAuth2AuthorizedClientProvider.java
@@ -21,7 +21,8 @@
 import java.time.Instant;
 import java.util.function.Function;
 
-import org.springframework.lang.Nullable;
+import org.jspecify.annotations.Nullable;
+
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.RestClientTokenExchangeTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.TokenExchangeGrantRequest;
@@ -66,8 +67,7 @@ public final class TokenExchangeOAuth2AuthorizedClientProvider implements OAuth2
 	 * supported
 	 */
 	@Override
-	@Nullable
-	public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
+	@Nullable public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
 		Assert.notNull(context, "context cannot be null");
 		ClientRegistration clientRegistration = context.getClientRegistration();
 		if (!AuthorizationGrantType.TOKEN_EXCHANGE.equals(clientRegistration.getAuthorizationGrantType())) {
@@ -111,7 +111,8 @@ private OAuth2AccessTokenResponse getTokenResponse(ClientRegistration clientRegi
 	}
 
 	private boolean hasTokenExpired(OAuth2Token token) {
-		return this.clock.instant().isAfter(token.getExpiresAt().minus(this.clockSkew));
+		Instant expiresAt = token.getExpiresAt();
+		return expiresAt != null && this.clock.instant().isAfter(expiresAt.minus(this.clockSkew));
 	}
 
 	/**

diff --git a/...framework/security/oauth2/client/TokenExchangeReactiveOAuth2AuthorizedClientProvider.java b/...framework/security/oauth2/client/TokenExchangeReactiveOAuth2AuthorizedClientProvider.java
@@ -101,7 +101,8 @@ private Mono<OAuth2Token> resolveSubjectToken(OAuth2AuthorizationContext context
 	}
 
 	private boolean hasTokenExpired(OAuth2Token token) {
-		return this.clock.instant().isAfter(token.getExpiresAt().minus(this.clockSkew));
+		Instant expiresAt = token.getExpiresAt();
+		return expiresAt != null && this.clock.instant().isAfter(expiresAt.minus(this.clockSkew));
 	}
 
 	/**

diff --git a/...a/org/springframework/security/oauth2/client/jackson2/ClientRegistrationDeserializer.java b/...a/org/springframework/security/oauth2/client/jackson2/ClientRegistrationDeserializer.java