diff --git a/app/forms/openid_connect_authorize_form.rb b/app/forms/openid_connect_authorize_form.rb
index d1b8fb90563..dc4eba1726c 100644
--- a/app/forms/openid_connect_authorize_form.rb
+++ b/app/forms/openid_connect_authorize_form.rb
@@ -65,6 +65,7 @@ def verified_at_requested?
   end
 
   def service_provider
+    return NullServiceProvider.new(issuer: nil) if client_id && client_id.include?("\x00")
     @_service_provider ||= ServiceProvider.from_issuer(client_id)
   end
 
diff --git a/spec/forms/openid_connect_authorize_form_spec.rb b/spec/forms/openid_connect_authorize_form_spec.rb
index b7d086c8020..76d9c519be6 100644
--- a/spec/forms/openid_connect_authorize_form_spec.rb
+++ b/spec/forms/openid_connect_authorize_form_spec.rb
@@ -137,6 +137,15 @@
       end
     end
 
+    context 'with a client_id containing a null byte' do
+      let(:client_id) { "not_a_real_client_id\x00" }
+      it 'has errors' do
+        expect(valid?).to eq(false)
+        expect(form.errors[:client_id]).
+          to include(t('openid_connect.authorization.errors.bad_client_id'))
+      end
+    end
+
     context 'nonce' do
       context 'without a nonce' do
         let(:nonce) { nil }