Spring Security @RegisteredOAuth2AuthorizedClient should support upgrading scopes

Summary

A @RegisteredOAuth2AuthorizedClient should be able to have the scopes necessary to make a particular request. If the scopes are not present on the access token, it should support automatically requesting the additional scopes. This will allow a client to request the fewest possible scopes necessary without needing to provide additional code when needing to request more scopes.

For example, if a ClientRegistration has the scopes user, message, and admin associated to it a user should be able to state something like @RegisteredOAuth2AuthorizedClient(scopes = { "message" }). If the current access token associated to the registration had the user scope and not the message scope, then Spring Security would trigger the flow that would ensure the access token had user and message scopes.

We should also ensure that we can get tokens where the scopes are not additive. For example, for the scenario above we might have something like @RegisteredOAuth2AuthorizedClient(onlyScopes = { "message" }). Then an access token that is passed along would only contain the message scope and not the user scope despite the previous associated token having a user scope.

Comment From: jgrandja

May be related #5199

Comment From: kdhindsa

@rwinch I am in this situation. Is there some sample where I can explicitly request for additional scopes using spring security?

Comment From: jgrandja

@kdhindsa See the reference doc for a sample on customizing the Access Token request.

This sample shows how to customize the Token Request using a Converter<OAuth2ClientCredentialsGrantRequest, RequestEntity<?>> for a client_credentials ClientRegistration.

Comment From: kdhindsa

@jgrandja Thanks. Yes, I stumbled upon this a couple of days later and I was able to get it to work by customizing the token request. I ought to be relying on spring manuals from now on.