In our setup, the client secret is an encrypted property, and decrypt requires a remote call which affects the startup time of the app. It would be nice if we can extend the ClientRegistration class and override getClientSecret to load it lazily so we can decrypt the secret only when that's been used.

Comment From: jgrandja

@kzwang I would recommend lazily loading ClientRegistration via ClientRegistrationRepository.findByRegistrationId(). Here you could decrypt clientSecret before returning the ClientRegistration for use.

I'm going to close this based on the recommended implementation strategy.

Comment From: kzwang

@jgrandja There are a couple of places that we need ClientRegistration but not the client secret, e.g., we want to read the configured scopes of the client to validate the scopes in the token, but we don't need the client secret for that. So lazy loading of ClientRegistrationRepository.findByRegistrationId doesn't really work since it would still decrypt the secret when not needed.

The workaround I'm using now is for my own ClientRegistrationRepository implementation, I added another findByRegistrationIdWithoutSecret method to return a ClientRegistration with all the same info except secret. But then I can't use the ClientRegistrationRepository interface anymore, have to use my own class, and Spring security code won't be aware of that method so anytime Spring code calls findByRegistrationId, even if it doesn't need the secret, it will still decrypt the secret.

Comment From: jgrandja

@kzwang Thanks for the detailed explanation. I understand the challenge you have. Let's figure out the best solution for you.

Are there any other special use cases that I need to be aware of? I'd like to account for all use cases before we figure out a solution.

Can you also detail the points of access for ClientRegistration.getClientSecret(). The obvious one is when the client is about to authenticate but are there other points in the code where you need to decrypt?

Comment From: jgrandja

@kzwang Are you still looking for a solution here? If so, please respond to my previous comment and we can figure it out from there.

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.