Hi,

Would it be possible for AbstractWebClientReactiveOAuth2AccessTokenResponseClient to have the WebClient instance customized by a WebClientCustomizer bean ? Since the WebClientAutoConfiguration proposes the WebClient.Builder webClientBuilder(ObjectProvider customizerProvider) to customize a webclient, it looks to me akward that I have to replace the webclient via a setter. And when doing so I have to cast to proper class. Thx.

BR, Dan S.

Comment From: sjohnr

Hi @lmcdasi, thanks for reaching out!

And when doing so I have to cast to proper class.

Can you give an example or explain what you mean by this?

Comment From: lmcdasi

I can do it without casting if the accessTokenResponseClient is set as the Abstract class.

AbstractWebClientReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> **accessTokenResponseClient** = new WebClientReactiveClientCredentialsTokenResponseClient(); accessTokenResponseClient.setWebClient(webClientBuilder.build()); lientCredentialsProvider = new ClientCredentialsReactiveOAuth2AuthorizedClientProvider(); clientCredentialsProvider.setAccessTokenResponseClient(**accessTokenResponseClient**);

I still think the webclientbuilder injection would be more of a 'spring framework' way of working rather than codding the setter myself.

At the same time why not using proxyWithSystemProperties() in the abstract class directly, since if proxy is not present it would do as it is now ...

`@Component public class OauthWebClientCustomizer implements WebClientCustomizer { private static final Logger LOGGER = LoggerFactory.getLogger(OauthWebClientCustomizer.class);

@Override
public void customize(Builder webClientBuilder) {
    LOGGER.info("WebClientCustomizer - customize webclient proxyWithSystemProperties if present");
    webClientBuilder.clientConnector(new ReactorClientHttpConnector(HttpClient.create()
            .proxyWithSystemProperties()));
}

}`

Comment From: sjohnr

@lmcdasi, take a look at the docs for customizing the WebClient with the client_credentials grant. Here's an example of creating the WebClientReactiveClientCredentialsTokenResponseClient using a WebClient.Builder and providing it to a ReactiveOAuth2AuthorizedClientProvider:

ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider(
        WebClient.Builder webClientBuilder) {
    WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
        new WebClientReactiveClientCredentialsTokenResponseClient();
    accessTokenResponseClient.setWebClient(webClientBuilder.build());

    return ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
        .clientCredentials(clientCredentials ->
            clientCredentials.accessTokenResponseClient(accessTokenResponseClient))
        .build();
}

The different implementations of ReactiveOAuth2AccessTokenResponseClient are lower-level components that have a lot of flexibility. Most components at this level in Spring Security expose setters like this as a common practice for customization. See gh-8882 for discussion regarding why a global WebClient is not used by the framework and options for making it easier to customize across the OAuth2 stack.

I'm going to close this issue for now, as I don't believe we would want to make a significant change in strategy for configuring a WebClient at the token response client level as the above example is quite easy already. If you feel I've misunderstood anything, we can continue discussing and re-open if necessary.