Spring Security OAuth2 client - "client_secret" missing in the token request

Describe the bug The client_secret parameter in the request body is missing while sending a token request. I'm using https://login.live.com/.well-known/openid-configuration as idp

Dependencies - Spring-boot-starter: 3.3.6 - Spring-cloud: 2023.0.3 - Spring Gateway (reactive) - Spring-oauth2-client

To Reproduce application.yaml

spring:
  main:
    allow-bean-definition-overriding: true

  cloud:
    gateway:
      routes:
        - id: bff
          uri: http://localhost:8080
          predicates:
            - Path=/api/**
          filters:
            - DedupeResponseHeader=Access-Control-Allow-Credentials Access-Control-Allow-Origin
            - TokenRelay=
            - SaveSession
            - StripPrefix=1

  security:
    oauth2:
      client:
        provider:
          azuread:
            issuer-uri: https://login.live.com # Spring will get the configuration from https://login.live.com/.well-known/openid-configuration
        registration:
          azuread:
            provider: azuread
            authorization-grant-type: authorization_code
            client-id: ${client-id}
            client-secret: ${client-secret}
            redirect-uri: http://localhost:8080/oauth2/code/azuread
            client-authentication-method: client_secret_post
            scope:
              - openid
              - profile
              - email
              - offline_access
              - XboxLive.signin # Scopes to get access to xbox live
              - XboxLive.offline_access

SecurityConfiguration

@Slf4j
@RequiredArgsConstructor
@Configuration
@EnableWebFluxSecurity
public class OAuth2SecurityConfig {

    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
        http
                .authorizeExchange(authorizeExchangeSpec -> authorizeExchangeSpec
                        .pathMatchers("/oauth2/**").permitAll()
                        .anyExchange().authenticated())
                .oauth2Login(o -> o.authenticationFailureHandler(serverAuthenticationFailureHandler()))
                .oauth2Client(Customizer.withDefaults());
        return http.build();
    }


    @Bean
    public ServerAuthenticationFailureHandler serverAuthenticationFailureHandler() {
        return new OAuth2ServerAuthenticationFailureHandler();
    }

}

Expected behavior The client_secret parameter should be present in the token request (For my case: https://login.live.com/oauth20_token.srf)

Sample Example on GitHub

Comment From: matthias-kopeinigg

CLosing this ticket since the request somehow works (without any changes). Might be a issue from azuread side.