Add ServletBearerRequestInterceptor for RestClient (equivalent of ServletBearerExchangeFilterFunction) #17958
Description
Expected Behavior
RestClient should provide an interceptor similar to ServletBearerExchangeFilterFunction for WebClient.
This would allow automatic propagation of an Authorization: Bearer header, by resolving an OAuth2AuthorizedClient through OAuth2AuthorizedClientManager and the current Authentication from SecurityContextHolder.
Current Behavior
Currently, there is no built-in integration between Spring Security and RestClient. Developers must implement their own ClientHttpRequestInterceptor to manually resolve an access token and set it in the request headers. This leads to repetitive boilerplate code and inconsistency compared to WebClient.
Context
We are adopting the new RestClient introduced in Spring Framework 6.1 for synchronous HTTP requests. While WebClient has a convenient ServletBearerExchangeFilterFunction to transparently handle OAuth2 access tokens, no such integration exists for RestClient.
This results in:
- Duplicated custom interceptors across applications.
- Inconsistency between RestClient and WebClient usage patterns.
- Higher risk of misconfigurations for token propagation.
Alternatives considered:
Implementing a custom ClientHttpRequestInterceptor for each application.
Wrapping RestClient builders to centralize token logic.
Workaround:
A manual RequestInterceptor works, but it lacks the standardization and developer experience provided by Spring Security’s support for WebClient.
Proposal:
Introduce a ServletBearerRequestInterceptor (or similar) for RestClient that behaves like ServletBearerExchangeFilterFunction does for WebClient, enabling consistent, secure, and boilerplate-free token propagation in Servlet environments.