Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Align code in oauth2-client extensions for WebClient #6811

jgrandja opened this issue Apr 23, 2019 · 0 comments


2 participants
Copy link

commented Apr 23, 2019

The WebClient extensions for OAuth 2.0 Client are supported via ServletOAuth2AuthorizedClientExchangeFilterFunction (Servlet) and ServerOAuth2AuthorizedClientExchangeFilterFunction (WebFlux).

The ServerOAuth2AuthorizedClientExchangeFilterFunction (WebFlux) uses a collaborator OAuth2AuthorizedClientResolver to realize part of the feature set. However, ServletOAuth2AuthorizedClientExchangeFilterFunction (Servlet) doesn't have such a collaborator and therefore all the code is contained within. We should consider adding an OAuth2AuthorizedClientResolver equivalent for the Servlet version to align the code and provide consistency.

Furthermore, as we continue to add support for other grant types, e.g. Resource Owner Password Credentials #6003, the code within each ExchangeFilterFunction could grow quite a bit making it more complex and harder to maintain. It is also preferred that the code in each ExchangeFilterFunction is aligned/consistent and reused wherever possible. However, we need to be careful with reuse and ensure we don't introduce a blocking operation within the reactive implementation.

As part of this decomposition exercise, we should consider re-structuring components/collaborators so they can potentially be reused by other technology stacks, e.g. WebFlux's WebSocketClient #6711, RestTemplate or Feign Client.

Related #6683, #6780

This issue is divided into the following tasks.


  • #17 Introduce OAuth2AuthorizedClientProvider
  • #18 Implement authorization_code OAuth2AuthorizedClientProvider
  • #19 Implement client_credentials OAuth2AuthorizedClientProvider
  • #20 Add refresh_token OAuth2AccessTokenResponseClient
  • #21 Implement refresh_token OAuth2AuthorizedClientProvider
  • #22 Implement delegating OAuth2AuthorizedClientProvider
  • #29 Refactor and use OAuth2AuthorizedClientProvider implementations
  • #37 Simplify population of OAuth2AuthorizationContext
  • #59 Redesign OAuth2AuthorizedClientProvider to load/save OAuth2AuthorizedClient
  • #60 ClientCredentialsOAuth2AuthorizedClientProvider should load/save OAuth2AuthorizedClient
  • #61 RefreshTokenOAuth2AuthorizedClientProvider should load/save OAuth2AuthorizedClient
  • #62 Refactor and use redesigned OAuth2AuthorizedClientProvider implementations


  • #42 Introduce ReactiveOAuth2AuthorizedClientProvider
  • #43 Implement authorization_code ReactiveOAuth2AuthorizedClientProvider
  • #44 Implement client_credentials ReactiveOAuth2AuthorizedClientProvider
  • #45 Add refresh_token ReactiveOAuth2AccessTokenResponseClient
  • #46 Implement refresh_token ReactiveOAuth2AuthorizedClientProvider
  • #47 Implement delegating ReactiveOAuth2AuthorizedClientProvider
  • #48 Refactor and use ReactiveOAuth2AuthorizedClientProvider implementations

@jgrandja jgrandja self-assigned this Apr 23, 2019

@jgrandja jgrandja added this to the 5.2.0.RC1 milestone Apr 23, 2019

@jgrandja jgrandja added this to jgrandja in Security Team Apr 23, 2019

@rwinch rwinch removed the Reactive label May 6, 2019

@jgrandja jgrandja moved this from jgrandja to In Progress in Security Team May 6, 2019

jgrandja added a commit to jgrandja/spring-security that referenced this issue May 6, 2019

@jgrandja jgrandja modified the milestones: 5.2.0.M3, 5.2.x Jun 3, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.