Description
This theme will focus on providing consistency for Servlet and Reactive applications that use OAuth2 Client features. Examples include providing consistent parameters for access token requests and notable differences in configuration of the underlying HTTP client (RestTemplate vs WebClient).
The goal of this effort will be to leverage the introduction of support for RestClient (introduced in Spring Framework 6.1) in order to opt-in to a new way of configuring OAuth2 Client features of Servlet applications that are more consistent with Reactive applications. This also provides an opportunity to introduce improvements for Servlet applications that would otherwise be breaking changes earlier than Spring Security 7.
Once RestClient support is fully available, it also would be possible to consider deprecating support for RestTemplate with the potential to remove support in Spring Security 7 while still providing adequate time to migrate to RestClient support.
The following issues are currently included in this theme:
- Additional client_id field added in POST body for private_key_jwt authentication method for client credential grant type #11298
- Client id inclusion for refresh token grant is not consistent between servlet and reactive stacks #14811
- Allow AbstractWebClientReactiveOAuth2AccessTokenResponseClient to be extended #14657
- Add support for requesting protected resources with RestClient #13588
- Consider adding
RestClientimplementations ofOAuth2AccessTokenResponseClient#15298 - Deprecate default
OAuth2AccessTokenResponseClients in favor ofRestClient-based ones #15737 - Add
loginPage()to DSL in reactiveoauth2Login()#15674 - Consider adding
ClientRegistrationIdResolvertoExchangeFilterFunctions #15825 - Consider adding
PrincipalResolvertoExchangeFilterFunctions#16284
Possibly related issues (not directly included in this theme):