Spring Security ServerOAuth2AuthorizedClientExchangeFilterFunction: scope client credential tokens to the application

Expected Behavior

When using an OAuth2 client registration configured for the client credentials flow, the ServerOAuth2AuthorizedClientExchangeFilterFunction should use tokens scoped for the application instead of the current user.

Current Behavior

The ReactiveOAuth2AuthorizedClientManager is called using a currentAuthenticationMono, which is based on the security context. In an application with logged-in users, different tokens are acquired for each user, even if it doesn't make sense with the client credential flows: the request is authorized in the name of the application itself (the client), not on behalf of the user.

Context

With the OAuth2ClientHttpRequestInterceptor for RestClient, we can set the principal resolver to something that always returns null, and with the ServletOAuth2AuthorizedClientExchangeFilterFunction, we can set the security context holder strategy to something that always returns an empty context.

In both cases, the authorized client manager is called with an anonymous authentication singleton, and the tokens acquired using the client credentials flow are scoped to the application.

I couldn't find an equivalent for the ServerOAuth2AuthorizedClientExchangeFilterFunction.