Spring Security New ReactiveOAuth2AuthorizedClientProvider implementations that are capaple of handling rate limitting Oauth services

There are some Oauth services that implements rate limiting e.g. https://blog.allegro.tech/2021/11/oauth-rate-limiting.html. At this moment in highly concurrent apps all of the implementations of ReactiveOAuth2AuthorizedClientProvider are failing with HTTP 429 Too Many Requests.

Proposition:

Add variants of ReactiveOAuth2AuthorizedClientProvider implementation that handles rate limiting.

Possible implementaion could involve http call do oauth service being wrapped in semaphore like following

`

public Mono<OAuth2AuthorizedClient> authorize(OAuth2AuthorizationContext context) {
    Assert.notNull(context, "context cannot be null");
    ClientRegistration clientRegistration = context.getClientRegistration();
    if (!AuthorizationGrantType.CLIENT_CREDENTIALS.equals(clientRegistration.getAuthorizationGrantType())) {
        return Mono.empty();
    }
    OAuth2AuthorizedClient authorizedClient = context.getAuthorizedClient();
    if (authorizedClient != null && !hasTokenExpired(authorizedClient.getAccessToken())) {
        return Mono.empty();
    }

    semaphore.acquireUninterruptibly();
    var client = Mono.just(new OAuth2ClientCredentialsGrantRequest(clientRegistration))
            .flatMap(this.accessTokenResponseClient::getTokenResponse)
            .onErrorMap(OAuth2AuthorizationException.class,
                        ex -> new ClientAuthorizationException(ex.getError(), clientRegistration.getRegistrationId(),
                                                                 ex))
            .map(tokenResponse -> new OAuth2AuthorizedClient(clientRegistration, context.getPrincipal().getName(),
                                                               tokenResponse.getAccessToken()));
    return client.doFinally(x -> semaphore.release());
}

`

Comment From: sjohnr

Hi @norbercik93, thanks for reaching out!

At this moment in highly concurrent apps all of the implementations of ReactiveOAuth2AuthorizedClientProvider are failing with HTTP 429 Too Many Requests.

Are these 429 Too Many Requests errors coming from the authorization server/provider?

Possible implementaion could involve http call do oauth service being wrapped in semaphore like following

I'm wondering why this approach of wrapping of the request processing flow with semaphores couldn't be done by building a delegating ReactiveOAuth2AuthorizedClientProvider implementation of your own?

I feel configuring a specialized implementation wouldn't be much easier than building a simple delegating implementation yourself, since it would require parameters specific to your requirements to get it right anyway.

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.