Spring Security Default clientSettings.isRequireProofKey=true does not make sense for non auth-code-flow clients

I have a spring boot 4 app with an oauth2 client registration, that is configured with refresh_token for the authorization-grant-type. The client is configured from properties. Now i get the following warning on app start:

WARN  .s.o.c.r.ClientRegistration$Builder - clientSettings.isRequireProofKey=true is only valid with authorizationGrantType=AuthorizationGrantType{value='authorization_code'}. Got authorizationGrantType=AuthorizationGrantType{value='refresh_token'}. Resetting to clientSettings.isRequireProofKey=false

Clients with client_credentials-flow will result in the same warning.

To Reproduce Start an spring boot 4 app with the following properties:

spring.security.oauth2.client.registration.example.client-id=my-client
spring.security.oauth2.client.registration.example.authorization-grant-type=refresh_token
spring.security.oauth2.client.registration.example.scope=openid
spring.security.oauth2.client.registration.example.provider=google

Expected behavior No warning is logged when a non auth-code-client-registrations is used with defaults. From my point of view the warning or the default, that pkce is enabled, only makes sense for client-registrations with authorization code flow.

Comment From: phactum-mnestler

Same issue here, using client_credentials causes this warning to appear in Spring Security 7 with no obvious workaround.

Comment From: rohan-naik07

@jgrandja I can take this up if we taking this forward