Spring Security Client JwtBearer grant type should allow to build Jwt based on the client registration information

Expected Behavior

As per RFC7521 and 7523, there is some claims that compose the Jwt that are related to the client registration like issuer or client_id.

When making a call like

String body = webClient
    .get()
    .attributes(clientRegistrationId("client-jwt-bearer").andThen(authentication(authentication)))
    .retrieve()
    .bodyToMono(String.class)
    .block();

It would be easier to have direclty access to the client Registration for building the authentication instance.

Current Behavior

Client code must inject ClientRegistrationRepository/Service, in order get the client registration information to build the token and then make the webclient call. It complicates the code and give tight the code to security concerns. It makes things more complicated when using a default client as we must deal with setting the default client Id everywhere while it is already, but uselessly, configured on the ServletOAuth2AuthorizedClientExchangeFilterFunction.

Context

Having https://github.com/spring-projects/spring-security/issues/9879 resolved, this should be easy to fix.

Comment From: jgrandja

@sclorng I re-opened gh-9812, which will address:

It would be easier to have direclty access to the client Registration for building the authentication instance.

Your suggested improvement on exposing a Converter<OAuth2AuthorizationContext, Jwt> will provide access via OAuth2AuthorizationContext.getClientRegistration().

I'll close this as a duplicate and we'll address your concerns in gh-9812.