Expected Behavior
Just like OAuth2LoginSpec, OAuth2ClientSpec should get ReactiveOAuth2AccessTokenResponseClient from Spring IoC :
/**
* Gets the {@link ReactiveAuthenticationManager} to use. First tries an explicitly configured manager, and
* defaults to {@link OAuth2AuthorizationCodeReactiveAuthenticationManager}
*
* @return the {@link ReactiveAuthenticationManager} to use
*/
private ReactiveAuthenticationManager getAuthenticationManager() {
if (this.authenticationManager == null) {
this.authenticationManager = new OAuth2AuthorizationCodeReactiveAuthenticationManager(getAccessTokenResponseClient());
}
return this.authenticationManager;
}
private ReactiveOAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> getAccessTokenResponseClient() {
ResolvableType type = ResolvableType.forClassWithGenerics(ReactiveOAuth2AccessTokenResponseClient.class, OAuth2AuthorizationCodeGrantRequest.class);
ReactiveOAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> bean = getBeanOrNull(type);
if (bean == null) {
return new WebClientReactiveAuthorizationCodeTokenResponseClient();
}
return bean;
}
Current Behavior
Current mechanism :
private ReactiveAuthenticationManager getAuthenticationManager() {
if (this.authenticationManager == null) {
this.authenticationManager = new OAuth2AuthorizationCodeReactiveAuthenticationManager(new WebClientReactiveAuthorizationCodeTokenResponseClient());
}
return this.authenticationManager;
}
Context
I consider that,ReactiveOAuth2AccessTokenResponseClient in Spring IoC is the default one 、the global one. This facilitates consistent behavior,if not I need like the following :
@Bean
@ConditionalOnMissingBean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.authorizeExchange().anyExchange().authenticated();
http.oauth2Login();
http.oauth2Client().authenticationManager(new OAuth2AuthorizationCodeReactiveAuthenticationManager(oAuth2AccessTokenResponseClient()));
return http.build();
}
@Bean
public ReactiveOAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> oAuth2AccessTokenResponseClient() {
// ignore
}
It looks not good.
Comment From: sjohnr
Hi @NotFound403. I'm going through a few unanswered issues and saw this one.
It looks not good.
Can you explain what you mean here? For example, do you mean that there's a workaround but it is inconvenient or difficult? Or do you mean something you're trying to achieve is impossible?
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: sjohnr
@NotFound403 did you happen to see the above comment?
Comment From: NotFound403
ReactiveOAuth2AccessTokenResponseClient could customize and have the global default one in Spring IoC
Comment From: sjohnr
Thanks @NotFound403. I think you're just requesting a general enhancement (nice-to-have) to make OAuth2ClientSpec consistent with OAuth2LoginSpec in the way it obtains a ReactiveOAuth2AccessTokenResponseClient for creating the default OAuth2AuthorizationCodeReactiveAuthenticationManager. Let me know if you think there's anything I've missed.
Comment From: NotFound403
Thanks @NotFound403. I think you're just requesting a general enhancement (nice-to-have) to make OAuth2ClientSpec consistent with OAuth2LoginSpec in the way it obtains a ReactiveOAuth2AccessTokenResponseClient for creating the default OAuth2AuthorizationCodeReactiveAuthenticationManager. Let me know if you think there's anything I've missed.
yes, keep them consistent