Spring Security Support customizing headers of a request in AbstractWebClientReactiveOAuth2AccessTokenResponseClient

Expected Behavior

Headers added to the request via .headers((headers) -> populateTokenRequestHeaders(grantRequest, headers)) of the WebClient should be customizable so the application can add additional headers or customize the default set of headers provided by AbstractWebClientReactiveOAuth2AccessTokenResponseClient.

Current Behavior

Currently, the request can only be customized by providing a custom WebClient and registering an ExchangeFilterFunction. This limits the application to only the current ClientRequest, possibly requiring parsing and mutating the request after it has already been built, with the inability to access the current AbstractOAuth2AuthorizationGrantRequest.

Context

See gh-10042

Comment From: sjohnr

@vboulaye, I looked at AbstractWebClientReactiveOAuth2AccessTokenResponseClient while opening up this ticket. So far, it looks like the only customization points are package-private methods that can be overridden by a sub-class. However, the implementation on the servlet side uses the Converter interface, with a default implementation. For example, given <T extends AbstractOAuth2AuthorizationGrantRequest>:

    private Converter<T, HttpHeaders> headersConverter = this::populateTokenRequestHeaders;

Similar to the existing method but now returning headers:

    private HttpHeaders populateTokenRequestHeaders(T grantRequest) { ... }

And provide a nicely documented setter. I think something like this could be the way to go.