From 7ac423698a10b92c5d34da022afccbc109fda34e Mon Sep 17 00:00:00 2001
From: shimingxy <shimingxy@qq.com>
Date: Fri, 16 Jan 2026 15:41:37 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BD=BF=E7=94=A8client=5Fcredentials=E8=8E=B7?=
 =?UTF-8?q?=E5=8F=96token=E6=8A=A5=E7=A9=BA=E6=8C=87=E9=92=88=20#IDK3Q0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../authz/oauth2/provider/token/DefaultTokenServices.java      | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/dromara/maxkey/authz/oauth2/provider/token/DefaultTokenServices.java b/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/dromara/maxkey/authz/oauth2/provider/token/DefaultTokenServices.java
index 0e5971602..715849eab 100644
--- a/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/dromara/maxkey/authz/oauth2/provider/token/DefaultTokenServices.java
+++ b/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/dromara/maxkey/authz/oauth2/provider/token/DefaultTokenServices.java
@@ -94,7 +94,8 @@ public class DefaultTokenServices implements AuthorizationServerTokenServices, R
 
     private void saveVisited(OAuth2Authentication authentication, OAuth2AccessToken accessToken) {
         //存储oauth、oidc等的token,用户退出时清除
-        if(authentication.getUserAuthentication().getPrincipal() instanceof SignPrincipal principal) {
+        if(authentication.getUserAuthentication() != null 
+        		&& authentication.getUserAuthentication().getPrincipal() instanceof SignPrincipal principal) {
             _logger.debug("{}({}) , session {} access for logout clear ",
                     principal.getUsername(),principal.getUserId(),principal.getSessionId());
             String clientId = authentication.getOAuth2Request().getRequestParameters().get(OAuth2Constants.PARAMETER.CLIENT_ID);