Fix OAuth2TokenIntrospection issuer validation and add unit tests

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2TokenIntrospection.java

@@ -305,7 +305,7 @@ private void validate() {
 						"aud must be of type List");
 			}
 			if (this.claims.containsKey(OAuth2TokenIntrospectionClaimNames.ISS)) {
-				validateURL(this.claims.get(OAuth2TokenIntrospectionClaimNames.ISS), "iss must be a valid URL");
+				validateIssuer(this.claims.get(OAuth2TokenIntrospectionClaimNames.ISS), "iss must be a valid URL");
 			}
 		}
 
@@ -326,16 +326,24 @@ private void acceptClaimValues(String name, Consumer<List<String>> valuesConsume
 			valuesConsumer.accept(values);
 		}
 
-		private static void validateURL(Object url, String errorMessage) {
+		private static void validateIssuer(Object url, String errorMessage) {
 			if (URL.class.isAssignableFrom(url.getClass())) {
 				return;
 			}
 
+			String str = url.toString();
+			if (str.isEmpty()) {
+				throw new IllegalArgumentException(errorMessage);
+			}
+
 			try {
-				new URI(url.toString()).toURL();
+				// Try parsing as URI
+				new URI(str);
+				// If this succeeds, it’s a valid URI
 			}
 			catch (Exception ex) {
-				throw new IllegalArgumentException(errorMessage, ex);
+				// If parsing fails, allow plain string (fix for iss claim)
+				// Only log/debug if needed, no exception thrown
 			}
 		}
 

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/OAuth2TokenIntrospectionTests.java

@@ -0,0 +1,57 @@
+package org.springframework.security.oauth2.server.authorization;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.security.oauth2.core.OAuth2TokenIntrospectionClaimNames;
+
+import java.util.List;
+
+public class OAuth2TokenIntrospectionTests {
+
+	@Test
+	void buildWhenIssuerIsNonUriStringThenDoesNotThrow() {
+		String issuer = "client-id-123"; // plain string, not a URI
+
+		org.assertj.core.api.Assertions.assertThatCode(() -> {
+			OAuth2TokenIntrospection token =
+					OAuth2TokenIntrospection.builder(true)
+							.issuer(issuer)
+							.subject("user-123")
+							.build();
+
+			Object issClaim = token.getClaim(OAuth2TokenIntrospectionClaimNames.ISS);
+			org.assertj.core.api.Assertions.assertThat(issClaim).isEqualTo(issuer);
+
+			Object activeClaim = token.getClaim(OAuth2TokenIntrospectionClaimNames.ACTIVE);
+			org.assertj.core.api.Assertions.assertThat(activeClaim).isEqualTo(true);
+		}).doesNotThrowAnyException();
+	}
+
+	@Test
+	void buildWhenIssuerIsValidUriThenAcceptsIssuer() {
+		String issuer = "https://issuer.example.com";
+
+		OAuth2TokenIntrospection token =
+				OAuth2TokenIntrospection.builder(true)
+						.issuer(issuer)
+						.subject("user-123")
+						.build();
+
+		Object issClaim = token.getClaim(OAuth2TokenIntrospectionClaimNames.ISS);
+		org.assertj.core.api.Assertions.assertThat(issClaim).isEqualTo(issuer);
+
+		Object activeClaim = token.getClaim(OAuth2TokenIntrospectionClaimNames.ACTIVE);
+		org.assertj.core.api.Assertions.assertThat(activeClaim).isEqualTo(true);
+	}
+
+	@Test
+	void buildWithMultipleScopes() {
+		OAuth2TokenIntrospection token =
+				OAuth2TokenIntrospection.builder(true)
+						.scope("read")
+						.scope("write")
+						.build();
+
+		List<String> scopes = (List<String>) token.getClaim(OAuth2TokenIntrospectionClaimNames.SCOPE);
+		org.assertj.core.api.Assertions.assertThat(scopes).containsExactly("read", "write");
+	}
+}