Spring Security Impossible to define OAuth2 provider via XML

Describe the bug

While XSD defines a top-level element <provider>, there are no handlers defined for it in SecurityNamespaceHandler. And if we look at ClientRegistrationsBeanDefinitionParser - it looks for providers inside of <client-registrations>. But the latter can't have such child tags according to the XSD.

So seems like there's no way to define custom OAuth2 configuration if it's XML configuration.

Comment From: sjohnr

Hi @ctapobep, thanks for reaching out!

While XSD defines a top-level element , there are no handlers defined for it in SecurityNamespaceHandler.

I believe this line configures the <client-registrations> element:

https://github.com/spring-projects/spring-security/blob/0aac515737e385feca81286a6f0bfd1ef2bb90ab/config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java#L193

which parses the "provider" tag here:

https://github.com/spring-projects/spring-security/blob/0aac515737e385feca81286a6f0bfd1ef2bb90ab/config/src/main/java/org/springframework/security/config/oauth2/client/ClientRegistrationsBeanDefinitionParser.java#L142

You can see some examples in unit tests, such as this one:

https://github.com/spring-projects/spring-security/blob/0aac515737e385feca81286a6f0bfd1ef2bb90ab/config/src/test/resources/org/springframework/security/config/oauth2/client/google-registration.xml#L36-L42

Does that help answer your question?

Comment From: ctapobep

Oh my, I missed that it's a xs:sequence and so the order of elements matters. Sorry for this.

Comment From: sjohnr

Not a problem, @ctapobep.