Describe the bug
When using opaque tokens with an OAuth 2 resource server, webflux's ServerBearerTokenAuthenticationConverter does not support authentication via url-encoded POST requests with their access token as a body parameter.
RFC-6750 Sec. 2.2 describes this behaviour and it is supported by DefaultBearerTokenResolver in mvc.
To Reproduce Create a POST endpoint for which authentication with an OAuth 2 resource server with an opaque token is needed. Doing so with the reactive stack does not allow for authentication via a body parameter.
Expected behavior
Providing a body parameter with a valid access token named access_token should authenticate the request.
Sample A sample project with designated test cases for the mvc and reactive stack can be found here: https://github.com/jonah1und1/spring-security-rfc6750-2.2
Comment From: jonah1und1
Any updates on this?
I happily improve on the issue description and/or pull request if needed.
Comment From: sjohnr
@jonah1und1 thanks for checking. We are working on a few high priority items for the release and then I will be reviewing your PR. If you would like to get a head start, please check the PR for modern java features from Java 11+ and switch back to corresponding Java 8 features. We are not yet ready to update most of the source code to Java 17 features because we are following Spring Framework's lead on which language features we are using.
Comment From: jonah1und1
@sjohnr Thank you. I will do that.
Comment From: jonah1und1
@sjohnr Did you have any time to take a look at the PR yet?