Skip to content

Add application-scoped access tokens for reactive OAuth2 client#18774

Open
jyx-07 wants to merge 2 commits intospring-projects:mainfrom
jyx-07:docs/reactive-oauth2-access-token
Open

Add application-scoped access tokens for reactive OAuth2 client#18774
jyx-07 wants to merge 2 commits intospring-projects:mainfrom
jyx-07:docs/reactive-oauth2-access-token

Conversation

@jyx-07
Copy link

@jyx-07 jyx-07 commented Feb 22, 2026

Closes #17129

Problem

The Spring Security documentation explains how to use application-scoped
access tokens (Client Credentials grant) for servlet applications, but
there was no equivalent documentation for reactive applications.

Solution

Add a new section to the reactive OAuth2 client authorization-grants
documentation that shows how to configure WebClient with
AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager for
application-scoped (non-user-scoped) access tokens.

Changes

  • docs: Add new section "Use the Client Credentials Grant for
    Application-Scoped Access Tokens" to authorization-grants.adoc
  • test: Add ApplicationScopedAccessTokenConfiguration.java
  • test: Add ApplicationScopedAccessTokenTests.java

@jyx-07
docs: add application-scoped access tokens example for reactive OAuth…
d59ab13 
…2 client

Signed-off-by: C0ng_yun <s25069@gsm.hs.kr>
@jyx-07 jyx-07 force-pushed the docs/reactive-oauth2-access-token branch from ea08448 to d59ab13 Compare February 22, 2026 09:55
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Feb 22, 2026
@thladsb
Copy link

thladsb commented Mar 3, 2026

I believe ServerOAuth2AuthorizedClientExchangeFilterFunction is not application-scoped, as mentioned in issue #17218.

@jyx-07
Copy link
Author

jyx-07 commented Mar 13, 2026

Thanks for pointing this out.

In this example, the WebClient is configured with
AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager
and a clientCredentials() provider, which means the access token
is obtained using the Client Credentials grant.

Since this grant type does not involve a user, the token is
application-scoped.

ServerOAuth2AuthorizedClientExchangeFilterFunction is used here
only as a WebClient filter that delegates authorization to the
configured ReactiveOAuth2AuthorizedClientManager.

@FryingHellfish
Copy link

FryingHellfish commented Mar 17, 2026

I agree with @thladsb. I was hoping for an example similar to Use the Client Credentials Grant, specifically the part demonstrating OAuth2ClientHttpRequestInterceptor and RequestAttributePrincipalResolver.

@jyx-07
Copy link
Author

jyx-07 commented Mar 17, 2026

Thank you both for the feedback.

You're right. ServerOAuth2AuthorizedClientExchangeFilterFunction attempts to resolve the principal from ServerWebExchange, so it is not truly application-scoped.

I've updated the example to use a custom ExchangeFilterFunction that calls AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager.authorize() directly with an OAuth2AuthorizeRequest, similar to how OAuth2ClientHttpRequestInterceptor with RequestAttributePrincipalResolver is used in the servlet stack. This avoids any dependency on ServerWebExchange and makes the application-scoped intent explicit.

@jyx-07
docs: add application-scoped access token example for reactive OAuth2…
8c4e766 
… client

Signed-off-by: C0ng_yun <s25069@gsm.hs.kr>
@jyx-07 jyx-07 force-pushed the docs/reactive-oauth2-access-token branch from 6466f5a to 8c4e766 Compare March 17, 2026 08:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

status: waiting-for-triage An issue we've not yet triaged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Document Application-Scoped Access Tokens for Reactive OAuth2 Client Applications

4 participants

@jyx-07 @thladsb @FryingHellfish @spring-projects-issues