Spring Security OAuth2AuthorizedClientArgumentResolver could use OAuth2AuthorizedClientManager registered in context

Describe the bug OAuth2ClientConfiguration.OAuth2ClientWebMvcSecurityConfiguration does not use the OAuth2AuthorizedClientManager provided by the Spring configuration, therefore @RegisteredOAuth2AuthorizedClient annotated parameters do not use potential customization done in the config.

To Reproduce Let's say you want to customize the access token response for a refresh like described in the doc

@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
        ClientRegistrationRepository clientRegistrationRepository,
        OAuth2AuthorizedClientRepository authorizedClientRepository) {

    OAuth2AuthorizedClientProvider authorizedClientProvider =
            OAuth2AuthorizedClientProviderBuilder.builder()
                    .authorizationCode()
                    .refreshToken(configurer -> configurer.accessTokenResponseClient(myCustomAccesTokenResponseClient()))
                    .clientCredentials()
                    .password()
                    .build();

    DefaultOAuth2AuthorizedClientManager authorizedClientManager =
            new DefaultOAuth2AuthorizedClientManager(
                    clientRegistrationRepository, authorizedClientRepository);
    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);

    return authorizedClientManager;
}

this will not be taken into account when the token is refreshed through a @RegisteredOAuth2AuthorizedClient parameter because OAuth2ClientConfiguration creates a OAuth2AuthorizedClientManager by itself.

Expected behavior Maybe OAuth2ClientConfiguration.OAuth2ClientWebMvcSecurityConfiguration should inject an OAuth2AuthorizedClientManager and use this one if it exists ? (or allow the customization of the manager created if it is intended to create a different one).

Comment From: jgrandja

Thanks for the report @benba.

By default, both OAuth2AuthorizedClientArgumentResolver and ServletOAuth2AuthorizedClientExchangeFilterFunction create default OAuth2AuthorizedClientManager. Instead of using @RegisteredOAuth2AuthorizedClient to refresh the access token, you can configure ServletOAuth2AuthorizedClientExchangeFilterFunction to use your custom OAuth2AuthorizedClientManager for refreshing the access token. Of course, this is only applicable if you're using WebClient.

Regardless, I'll add this to the backlog as an enhancement.

Comment From: jgrandja

Related #8669