Spring Security AbstractWebClientReactiveOAuth2AccessTokenResponseClient and access modifiers for methods

Describe the bug AbstractWebClientReactiveOAuth2AccessTokenResponseClient is abstract, but it is not final. I can extend it for my project (specific package), but AbstractWebClientReactiveOAuth2AccessTokenResponseClient has default access modifiers for methods "clientRegistration" and "scopes", so i get compilation error.

Expected behavior I expect that i can extend this class in my project (package doesn't equal org.springframework.security.oauth2.client.endpoint) or not if it is final.

Comment From: jgrandja

@skhrom Can you please provide more details on why you need protected access to clientRegistration() and scopes(). I'd like to understand your use case better.

FYI, we typically don't "open" things up unless there are no other options for customization or extension.

Comment From: skhrom

Hello, @jgrandja

I need to use spring-security, oauth2, openid-connect for authorization-grant-type client_credentials. I use Webclient. Our Authorization Server expects, that client to send additional parameters (resources and scope (https://datatracker.ietf.org/doc/html/rfc8707)). I have set parameters in OAuth2AuthorizationContext#attributes (org.springframework.security.oauth2.client.OAuth2AuthorizationContext), but the provider (ClientCredentialsReactiveOAuth2AuthorizedClientProvider#authorize) doesn't handle it and AbstractWebClientReactiveOAuth2AccessTokenResponseClient(method getTokenResponse) too. Therefore, i need to implement the provider and the client that will handle the parameters from OAuth2AuthorizationContext.

Comment From: jgrandja

@skhrom Adding custom parameters in the token request is possible via WebClientReactiveClientCredentialsTokenResponseClient.setParametersConverter() or WebClientReactiveClientCredentialsTokenResponseClient.addParametersConverter().

NOTE: This was added in 5.6

Please see Customizing the Access Token Request for further details.

I'm going to close this since customizations hooks are already available.

Comment From: skhrom

@jgrandja WebClientReactiveClientCredentialsTokenResponseClient and OAuth2ClientCredentialsGrantRequest don't have attributes from OAuth2AuthorizationContext. I use my custom OAuth2ClientCredentialsGrantRequest, but to use additional atributes from OAuth2AuthorizationContext i need to owerride ReactiveOAuth2AuthorizedClientProvider and ReactiveOAuth2AccessTokenResponseClient.

Or how i can get attributes from OAuth2AuthorizationContext to OAuth2ClientCredentialsGrantRequest ?

Comment From: jgrandja

@skhrom WebClientReactiveClientCredentialsTokenResponseClient.setParametersConverter() provides you access to OAuth2ClientCredentialsGrantRequest so you should have all the information you need to customize the token request.

Can you provide a sample of your code so I can better understand.