Spring Security ServerOAuth2AuthorizedClientExchangeFilterFunction: scope client credential tokens to the application

Expected Behavior

When using an OAuth2 client registration configured for the client credentials flow, the ServerOAuth2AuthorizedClientExchangeFilterFunction should use tokens scoped for the application instead of the current user.

Current Behavior

The ReactiveOAuth2AuthorizedClientManager is called using a currentAuthenticationMono, which is based on the security context. In an application with logged-in users, different tokens are acquired for each user, even if it doesn't make sense with the client credential flows: the request is authorized in the name of the application itself (the client), not on behalf of the user.

Context

With the OAuth2ClientHttpRequestInterceptor for RestClient, we can set the principal resolver to something that always returns null, and with the ServletOAuth2AuthorizedClientExchangeFilterFunction, we can set the security context holder strategy to something that always returns an empty context.

In both cases, the authorized client manager is called with an anonymous authentication singleton, and the tokens acquired using the client credentials flow are scoped to the application.

I couldn't find an equivalent for the ServerOAuth2AuthorizedClientExchangeFilterFunction.

Comment From: rohan-naik07

@jgrandja can you assign me this task?

Comment From: jgrandja

@rohan-naik07 Thanks for the offer but this issue hasn't been assigned to a release yet. We have a number of higher priority items on our list for the major release of Spring Security 7.0 and Spring Authorization Server 2.0 and with less resources on our team it will limit the new features in the next release.

Comment From: rohan-naik07

Ok, will ping again after 7.0 release, I get it that things are tight but if possible can you provide a link to another issue that needs to be attended for the upcoming release? Like some documentation work or bug fixing...I already have a grasp of spring security internals and architecture and even wrote a blog on it. Attaching link of the blog. Go through it if you get some time off.

https://medium.com/@rohannaik_74642/in-depth-spring-security-part-1-940a27c25acf

Comment From: jgrandja

@rohan-naik07 Would you be interested in gh-16391 ?