Describe the bug I encountered an UnsatisfiedDependencyException while migrating from Spring Security 6.1.9 to 6.2.8. The exception occurs during the initialization of the OAuth2ClientConfiguration class, specifically when trying to create a bean for OAuth2AuthorizedClientManagerRegistrar.
ERROR [main] (ContextLoader.java294) - Context initialization failed
2025-04-22 20:14:02 org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2ClientWebMvcSecurityConfiguration': Unsatisfied dependency expressed through method 'setAuthorizedClientManagerRegistrar' parameter 0: No qualifying bean of type 'org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2AuthorizedClientManagerRegistrar' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {}
To Reproduce
-
Upgrade Spring Security from 6.1.9 to 6.2.8.
-
Attempt to initialize the application context.
Expected behavior The application context should initialize without errors, and the OAuth2AuthorizedClientManagerRegistrar bean should be correctly registered.
Actual Behavior The application fails to initialize, throwing an UnsatisfiedDependencyException due to the missing OAuth2AuthorizedClientManagerRegistrar bean.
Sample Configuration
` @Configuration public class CustomOAuth2ClientConfig {
@Bean public OAuth2AuthorizedClientManager authorizedClientManager( ClientRegistrationRepository clientRegistrationRepository, OAuth2AuthorizedClientRepository authorizedClientRepository) { OAuth2AuthorizedClientProvider authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder() .authorizationCode() .refreshToken() .clientCredentials() .password() .build(); DefaultOAuth2AuthorizedClientManager authorizedClientManager = new DefaultOAuth2AuthorizedClientManager(clientRegistrationRepository, authorizedClientRepository); authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider); return authorizedClientManager; } ` Additional Information
-
CustomOAuth2ClientConfig has other bean configuration like ClientRegistrationRepository, OAuth2ProtectedResourceDetailsCustom, OAuth2AuthorizedClientService, OAuth2AuthorizedClientRepository, AuthorizationRequestRepository
, OAuth2AuthorizationRequestRedirectFilter, CustomOAuth2AuthorizationRequestResolver, CustomOAuth2LoginAuthenticationFilter, CustomOAuth2LoginAuthenticationProvider, DefaultAuthorizationCodeTokenResponseClient, CustomOAuth2UserService, OAuthAuthenticationFailureHandler -
The migration guide for Spring Security 6.2 does not mention changes related to OAuth2AuthorizedClientManagerRegistrar, this was not there in 6.1.x, it's added in 6.2.x
-
@Import Initialization Order in OAuth2ClientConfiguration could be problems ? : The OAuth2ClientWebMvcImportSelector is initialized before the OAuth2AuthorizedClientManagerConfiguration, but the latter creates the authorizedClientManagerRegistrar bean, which is required during the initialization of the former.
Environment:
Spring Security version: 6.2.8 Java version: 17 Build tool: Maven
Request for Help: I would appreciate any guidance on resolving this issue or confirmation if there is any config issue in my code
Comment From: jzheaux
Hi, @mantu-ms. Both 6.1.x and 6.2.x are no longer supported, though if it is indeed a bug, it may be in supported versions os Spring Security as well.
Are you able to create a minimal GitHub sample that reproduces the issue and that is based on 6.3.x or another supported release?
Comment From: mantu-ms
@jzheaux thanks for your attention , I tried with 6.4.5 as well , getting same error.
I will try to create a minimal sample and reproduce it . Just an FYI my project is not on spring boot.
One question regarding the import order in OAuth2ClientConfiguration.java, The OAuth2ClientWebMvcImportSelector is initialized before the OAuth2AuthorizedClientManagerConfiguration, but the latter creates the authorizedClientManagerRegistrar bean, which is required during the initialization of the former.
https://github.com/spring-projects/spring-security/blob/main/config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java
Comment From: mantu-ms
Hey @jzheaux
I have created a sample that reproduce the issue (with latest version spring 6.2.6 and security 6.4.5).
https://github.com/mantusingh/spring-security-issue/tree/main/spring-security-issue
Run :- ./run-docker.sh (https://github.com/mantusingh/spring-security-issue/blob/main/README.md )
Spring Security attempts to create two beans with the same name, one from "org.springframework.security.config.http.OAuth2AuthorizedClientManagerRegistrar" and another from "org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2AuthorizedClientManagerRegistrar". This leads to a conflict during Spring container initialization. Below is the detailed analysis:
Bean Registration via SecurityNamespaceHandler:
If security tags (e.g.,<http></http>) are defined in applicationContext.xml, the SecurityNamespaceHandler uses HttpSecurityBeanDefinitionParser to parse these tags. During this process, the AuthenticationConfigBuilder.registerOAuth2ClientPostProcessors() method registers the bean org.springframework.security.config.http.OAuth2AuthorizedClientManagerRegistrar with the name authorizedClientManagerRegistrar:
private void registerOAuth2ClientPostProcessors() {
if (!this.oauth2LoginEnabled && !this.oauth2ClientEnabled) {
return;
}
if (webMvcPresent) {
this.pc.getReaderContext()
.registerWithGeneratedName(new RootBeanDefinition(OAuth2ClientWebMvcSecurityPostProcessor.class));
}
this.pc.getReaderContext()
.getRegistry()
.registerBeanDefinition(OAuth2AuthorizedClientManagerRegistrar.BEAN_NAME,
new RootBeanDefinition(OAuth2AuthorizedClientManagerRegistrar.class));
}
Configuration Class Processing: Later, the ConfigurationClassBeanDefinitionReader processes configuration classes and attempts to load the bean definition for org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2AuthorizedClientManagerRegistrar. However, it skips this bean definition because a bean with the same name (authorizedClientManagerRegistrar) already exists. The following debug message is logged:
DEBUG [main] (ConfigurationClassBeanDefinitionReader.java347) - Skipping bean definition for BeanMethod: org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2AuthorizedClientManagerConfiguration.authorizedClientManagerRegistrar(): a definition for bean 'authorizedClientManagerRegistrar' already exists. This top-level bean definition is considered as an override.
Dependency Resolution Failure: The OAuth2ClientConfiguration.OAuth2ClientWebMvcSecurityConfiguration class requires org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2AuthorizedClientManagerRegistrar as a constructor dependency. Since the bean definition for this class was skipped, the Spring container fails to initialize, resulting in the following exception:
org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2ClientWebMvcSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 2:
No qualifying bean of type 'org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2AuthorizedClientManagerRegistrar' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {}
Comment From: mantu-ms
@jzheaux @spring-projects-issues Can anyone please check on this issue?
Comment From: mantu-ms
@jzheaux Can anyone please check on this issue?