Spring Security OAuth2 Client Authorized Clients for Spring MVC

[daniel-shuy]

Spring Security OAuth2 Client only supports authorized clients with WebClient, not RestTemplate (https://docs.spring.io/spring-security/reference/6.1/reactive/oauth2/client/authorized-clients.html).

While WebClient works for Spring MVC (Servlet), ReactiveOAuth2ClientAutoConfiguration is only enabled if the application is a reactive web application:

spring-boot/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/reactive/ReactiveOAuth2ClientAutoConfiguration.java

Lines 43 to 56 in ae50fa6

	@Conditional(ReactiveOAuth2ClientAutoConfiguration.NonServletApplicationCondition.class)
	@ConditionalOnClass({ Flux.class, EnableWebFluxSecurity.class, ClientRegistration.class })
	@Import({ ReactiveOAuth2ClientConfigurations.ReactiveClientRegistrationRepositoryConfiguration.class,
	ReactiveOAuth2ClientConfigurations.ReactiveOAuth2ClientConfiguration.class })
	public class ReactiveOAuth2ClientAutoConfiguration {
	static class NonServletApplicationCondition extends NoneNestedConditions {
	NonServletApplicationCondition() {
	super(ConfigurationPhase.PARSE_CONFIGURATION);
	}
	@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
	static class ServletApplicationCondition {

Trying to use authorized clients with WebClient for Spring MVC fails because there is no ReactiveClientRegistrationRepository bean.

Therefore at the moment, it is not possible to use Spring Security OAuth2 Client Authorized Clients with Spring MVC.

Is there any issue enabling ReactiveOAuth2ClientAutoConfiguration even if the application is not a reactive web application? If not, maybe the @Conditional can be removed from ReactiveOAuth2ClientAutoConfiguration.

[wilkinsona]

Thanks for the suggestion. Things used to work this way but the conditions were changed based on a recommendation from @rwinch. Some changes to this were discussed in #27839 but it didn't really reach a conclusion.

Have you seen this Spring Security sample that @mbhave linked to in #27839? It shows how a WebClient that uses authorized clients can be set up in a Servlet environment.

[daniel-shuy]

My bad, didn't notice the documentation under the servlet applications section (https://docs.spring.io/spring-security/reference/6.1/servlet/oauth2/client/authorized-clients.html), I'll close this issue, thanks for the quick reply!