Make autoconfig work better for web app with client credentials and @EnableOAuth2Client

[fkowal]

I have a web application, configured like this

security:
  basic.enabled: false
  sessions: stateless
  oauth2:
    client:
      id: 'id'
      grant-type: client_credentials
      client-id: client_id
      client-secret: secret
      scope: myscope
      access-token-uri: http://someuri/oauth/token
    resource:
      jwt.key-uri: http://someuri/oauth/token_key

I @EnableOAuth2Client hoping that OAuthRestTemplate would use client_credentials on use.

sadly OAuth2RestOperationsConfiguration has the following code:

    protected abstract static class BaseConfiguration {

        @Bean
        @ConfigurationProperties("security.oauth2.client")
        @Primary
        public AuthorizationCodeResourceDetails oauth2RemoteResource() {
            AuthorizationCodeResourceDetails details = new AuthorizationCodeResourceDetails();
            return details;
        }

    }

    @Configuration
    @ConditionalOnNotWebApplication
    protected static class SingletonScopedConfiguration {

        @Bean
        @ConfigurationProperties("security.oauth2.client")
        @Primary
        public ClientCredentialsResourceDetails oauth2RemoteResource() {
            ClientCredentialsResourceDetails details = new ClientCredentialsResourceDetails();
            return details;
        }

        @Bean
        public DefaultOAuth2ClientContext oauth2ClientContext() {
            return new DefaultOAuth2ClientContext(new DefaultAccessTokenRequest());
        }

    }

SingletonScopedConfiguration is not used because of ConditionalOnNotWebApplication

AuthorizationCodeResourceDetails is created BUT the grant_type is overriden and set to client_credentials :/. This causes AuthorizationCodeAccessTokenProvider to fail on

public boolean supportsResource(OAuth2ProtectedResourceDetails resource) {
        return resource instanceof AuthorizationCodeResourceDetails
                && "authorization_code".equals(resource.getGrantType());
    }

Can i make a pull request changing @ConditionalOnNotWebApplication
to @ConditionalOnProperty(value="spring.oauth2.client.grant-type", havingValue="client-credentials") ?

[dsyer]

I don't think we'd want to change the default behaviour, but if you want to send a pull request with an explicit check for the grant type as well, that's probably fine.

[dsyer]

Actually, it is kind of screwy that an app that explicitly declares @EnableOAuth2Client and configures a security.oauth2.client.* for client credentials shouldn't be rewarded with a little more autoconfiguration love. It catches everyone out who tries to do it and it's not a big thing to fix. The OAuth2ClientContext is already created, but not the ClientCredentialsResourceDetails.

[snicoll]

Is there a reason to change this in 1.4.x. I agree with the general idea but that could come with side effects. 1.5 seems more sensible to me.

[dsyer]

I guess I don't mind. Lots of people asking about it now, is all, and 1.5 is not ready yet.

[dsyer]

Fixed in 77a1a3b