Spring Security Azure AD Multi-Tenant OIDC Discovery Fails Due to '{tenantid}' in Issuer URI

Describe the bug When configuring Spring Security's OAuth2 client for multi-tenant Azure Active Directory (Microsoft Entra ID) by setting the spring.security.oauth2.client.provider.<id>.issuer-uri to https://login.microsoftonline.com/common/v2.0 or https://login.microsoftonline.com/organizations/v2.0 and relying on issuer auto-discovery, the application fails to start with an UnsatisfiedDependencyException and a URISyntaxException.

The root cause is that the OpenID Connect discovery document fetched from these multi-tenant Azure AD endpoints contains an issuer field with a {tenantid} placeholder (e.g., "issuer": "https://login.microsoftonline.com/{tenantid}/v2.0"). The underlying URI parser considers {tenantid} an "Illegal character in path," leading to the URISyntaxException during the ClientRegistrations.parse step.

This prevents proper multi-tenant configuration through simple issuer-uri auto-discovery as per Spring Security's standard OIDC client configuration.

To Reproduce Steps to reproduce the behavior:

1. Create a Spring Boot 3.5.x application with spring-boot-starter-oauth2-client and spring-boot-starter-security.

2. Configure application.yml with Azure AD (Entra ID) client details, specifically setting the issuer-uri to the multi-tenant common endpoint:

spring:
  security:
    oauth2:
      client:
        registration:
          entra:
            client-id: <YOUR_AZURE_AD_CLIENT_ID>
            client-secret: <YOUR_AZURE_AD_CLIENT_SECRET>
            redirect-uri: "{baseUrl}/oauth2/code/{registrationId}"
            authorization-grant-type: authorization_code
            scope:
              - openid
              - profile
              - email
              - User.Read
        provider:
          entra:
            issuer-uri: https://login.microsoftonline.com/common/v2.0 # Or https://login.microsoftonline.com/organizations/v2.0

1. Run the Spring Boot application.

Expected behavior The application should start successfully, and Spring Security should be able to resolve the OIDC configuration for multi-tenant Azure AD, allowing users from different Azure AD organizations to authenticate. The {tenantid} placeholder in the discovered issuer should be handled gracefully, allowing for multi-tenant applications.

Sample A minimal sample involve an empty Spring Boot application with the application.yml configuration as described. Such reproduction is created here : https://github.com/Dyskal/azure-oauth2-mre