Skip to content

ServerOAuth2AuthorizedClientExchangeFilterFunction: scope client credential tokens to the application #17218

@ch4mpy

Description

@ch4mpy
Contributor

Expected Behavior

When using an OAuth2 client registration configured for the client credentials flow, the ServerOAuth2AuthorizedClientExchangeFilterFunction should use tokens scoped for the application instead of the current user.

Current Behavior

The ReactiveOAuth2AuthorizedClientManager is called using a currentAuthenticationMono, which is based on the security context. In an application with logged-in users, different tokens are acquired for each user, even if it doesn't make sense with the client credential flows: the request is authorized in the name of the application itself (the client), not on behalf of the user.

Context

With the OAuth2ClientHttpRequestInterceptor for RestClient, we can set the principal resolver to something that always returns null, and with the ServletOAuth2AuthorizedClientExchangeFilterFunction, we can set the security context holder strategy to something that always returns an empty context.

In both cases, the authorized client manager is called with an anonymous authentication singleton, and the tokens acquired using the client credentials flow are scoped to the application.

I couldn't find an equivalent for the ServerOAuth2AuthorizedClientExchangeFilterFunction.

Activity

changed the title [-]ServerOAuth2AuthorizedClientExchangeFilterFunction: provide a mean to bind currentAuthenticationMono to Mono.just(ANONYMOUS_USER_TOKEN)[/-] [+]`ServerOAuth2AuthorizedClientExchangeFilterFunction`: scope client credential tokens to the application[/+] on Jun 7, 2025
added
in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
and removed on Jun 11, 2025
rohan-naik07

rohan-naik07 commented on Jun 28, 2025

@rohan-naik07

@jgrandja can you assign me this task?

jgrandja

jgrandja commented on Jun 30, 2025

@jgrandja
Contributor

@rohan-naik07 Thanks for the offer but this issue hasn't been assigned to a release yet. We have a number of higher priority items on our list for the major release of Spring Security 7.0 and Spring Authorization Server 2.0 and with less resources on our team it will limit the new features in the next release.

rohan-naik07

rohan-naik07 commented on Jul 1, 2025

@rohan-naik07

Ok, will ping again after 7.0 release, I get it that things are tight but if possible can you provide a link to another issue that needs to be attended for the upcoming release? Like some documentation work or bug fixing...I already have a grasp of spring security internals and architecture and even wrote a blog on it. Attaching link of the blog. Go through it if you get some time off.

https://medium.com/@rohannaik_74642/in-depth-spring-security-part-1-940a27c25acf

jgrandja

jgrandja commented on Jul 3, 2025

@jgrandja
Contributor

@rohan-naik07 Would you be interested in gh-16391 ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)type: enhancementA general enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @ch4mpy@jgrandja@rohan-naik07

        Issue actions

          `ServerOAuth2AuthorizedClientExchangeFilterFunction`: scope client credential tokens to the application · Issue #17218 · spring-projects/spring-security