-
Notifications
You must be signed in to change notification settings - Fork 6.1k
Description
Expected Behavior
When using an OAuth2 client registration configured for the client credentials flow, the ServerOAuth2AuthorizedClientExchangeFilterFunction
should use tokens scoped for the application instead of the current user.
Current Behavior
The ReactiveOAuth2AuthorizedClientManager
is called using a currentAuthenticationMono
, which is based on the security context. In an application with logged-in users, different tokens are acquired for each user, even if it doesn't make sense with the client credential flows: the request is authorized in the name of the application itself (the client), not on behalf of the user.
Context
With the OAuth2ClientHttpRequestInterceptor
for RestClient
, we can set the principal resolver to something that always returns null, and with the ServletOAuth2AuthorizedClientExchangeFilterFunction
, we can set the security context holder strategy to something that always returns an empty context.
In both cases, the authorized client manager is called with an anonymous authentication singleton, and the tokens acquired using the client credentials flow are scoped to the application.
I couldn't find an equivalent for the ServerOAuth2AuthorizedClientExchangeFilterFunction
.
Activity
[-]ServerOAuth2AuthorizedClientExchangeFilterFunction: provide a mean to bind currentAuthenticationMono to Mono.just(ANONYMOUS_USER_TOKEN)[/-][+]`ServerOAuth2AuthorizedClientExchangeFilterFunction`: scope client credential tokens to the application[/+]rohan-naik07 commentedon Jun 28, 2025
@jgrandja can you assign me this task?
jgrandja commentedon Jun 30, 2025
@rohan-naik07 Thanks for the offer but this issue hasn't been assigned to a release yet. We have a number of higher priority items on our list for the major release of Spring Security
7.0
and Spring Authorization Server2.0
and with less resources on our team it will limit the new features in the next release.rohan-naik07 commentedon Jul 1, 2025
Ok, will ping again after 7.0 release, I get it that things are tight but if possible can you provide a link to another issue that needs to be attended for the upcoming release? Like some documentation work or bug fixing...I already have a grasp of spring security internals and architecture and even wrote a blog on it. Attaching link of the blog. Go through it if you get some time off.
https://medium.com/@rohannaik_74642/in-depth-spring-security-part-1-940a27c25acf
jgrandja commentedon Jul 3, 2025
@rohan-naik07 Would you be interested in gh-16391 ?