Spring Security Simplify registering a custom (Reactive)OAuth2AuthorizedClientProvider

To specify a custom OAuth2AuthorizedClientProvider requires specifying a number of other things as well:

@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
        ClientRegistrationRepository clientRegistrationRepository,
        OAuth2AuthorizedClientRepository authorizedClientService) {
    var custom  = new JwtBearerReactiveOAuth2AuthorizedClientProvider();
    custom.setClockSkew(Duration.ofMinutes(2));
    var authorizedClientManager = new DefaultReactiveOAuth2AuthorizedClientManager(
                    clientRegistrationRepository, authorizedClientService);
    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
    return authorizedClientManager;
}

It would be nice to be able to focus only on the provider itself, like so:

@Bean
public OAuth2AuthorizedClientProvider authorizedClientProvider() {
    var jwtBearer  = new JwtBearerOAuth2AuthorizedClientProvider();
    jwtBearer.setClockSkew(Duration.ofMinutes(2));
    return jwtBearer;
}

It seems like this is already the pattern that is encouraged by the fact that OAuth2ClientConfiguration looks for the other components of OAuth2AuthorizedClientManager as beans.

I think it would be good to further simplify this configuration by also deprecating the lookup of OAuth2AccessTokenResponseClient for client credentials since this is a couple of layers of configuration deep. Instead, I think it would be better for folks to do:

@Bean
public OAuth2AuthorizedClientProvider authorizedClientProvider() {
    var clientCredentials  = new ClientCredentialsOAuth2AuthorizedClientProvider();
    clientCredentials.setAccessTokenResponseClient(custom);
    return clientCredentials;
}

Or if more are needed then:

@Bean
public OAuth2AuthorizedClientProvider authorizedClientProvider() {
    return OAuth2AuthorizedClientProviderBuilder.builder()
        .authorizationCode().clientCredentials((client) -> client.accessTokenResponseClient(custom))
        .build();
}

Comment From: jgrandja

Related gh-8882

Comment From: jgrandja

@jzheaux This seems very similar to gh-11783

Comment From: jzheaux

Since I think that publishing a OAuth2AuthorizedClientProvider is a happy medium with the current model, I've added it as a concrete suggestion to #11783 and closed this issue.