Expected Behavior
Allow the setting of Resource Indicators for Oauth 2.0 on ClientRegistration to then be used for authentication requests.
Current Behavior
The current process for setting an RFC 8707 resource indicator might appear to be begin with either
- Implementing a custom
Oauth2AuthorizedClientManagerand in theauthorizemethod adding the indicator as a custom attribute entry to theOauth2AuthorizationContext. - Instantiating an existing
Oauth2AuthorizedClientManagerimplementation and setting acontextAttributesMapperon that instance that would create the resource indicator entry.
However, it seems that this value would ultimately not be applied by a parametersConverter such as the OAuth2ClientCredentialsGrantRequestEntityConverter, so quite a bit more custom work appears to be necessary.
Context
My specific case involves a client credentials flow involving a resource indicator rather than core oauth 2 scopes, using WebClient and a ServletOAuth2AuthorizedClientExchangeFilterFunction. I'm also leveraging spring-boot oauth client autoconfiguration properties, but as that project's property values are applied to spring-security ClientRegistrations starting here seems to make the most sense.
The only existing issues involving resource indicators that I'm aware of are this project's #6972 and the spring-authorization-server project's support request.
Are there any other workarounds that I'm unaware of?