Restructure OAuth2 client auto-configuration

Previously, OAuth2 client auto-configuration was managed by a single
class:

- OAuth2ClientAutoConfiguration for servlet apps
- ReactiveOAuth2ClientAutoConfiguration for reactive apps

OAuth2ClientAutoConfiguration being for servlet apps meant that
a blocking OAuth2 client was not availabile in a non-web application.

The auto-configuration classes did two things:

- Auto-configured beans that are specific to server-side web security
  that uses an OAuth2 client
- Auto-configured OAuth2 client beans that may be used client- or
  server-side

Combining these two things into a single auto-configuration class
meant that you could not choose to use one or the other. For example,
you may want to make use of an OAuth2 client in a web application
without also using OAuth2 client-based web security.

This commit restructures the auto-configuration to address these
problems. There are now two auto-configurations for non-reactive apps:

- OAuth2ClientAutoConfiguration
- OAuth2ClientWebSecurityAutoConfiguration

and two auto-configurations for reactive apps:

- ReactiveOAuth2ClientAutoConfiguration
- ReactiveOAuth2ClientWebSecurityAutoConfiguration

This separation allows one to be used without the other. Furthermore,
the conditions have been updated so that, for example, the blocking
OAuth2 client is available in a non-web application.

Closes gh-40997
Closes gh-44906

Co-authored-by: Moritz Halbritter <[email protected]>

Author: wilkinsona

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfiguration.java

@@ -28,7 +28,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
-import org.springframework.boot.autoconfigure.security.oauth2.client.reactive.ReactiveOAuth2ClientAutoConfiguration;
+import org.springframework.boot.autoconfigure.security.oauth2.client.reactive.ReactiveOAuth2ClientWebSecurityAutoConfiguration;
 import org.springframework.boot.autoconfigure.security.oauth2.resource.reactive.ReactiveOAuth2ResourceServerAutoConfiguration;
 import org.springframework.boot.autoconfigure.security.reactive.ReactiveSecurityAutoConfiguration;
 import org.springframework.boot.autoconfigure.security.reactive.ReactiveUserDetailsServiceAutoConfiguration;
@@ -57,7 +57,7 @@
  */
 @AutoConfiguration(before = ReactiveSecurityAutoConfiguration.class,
 		after = { HealthEndpointAutoConfiguration.class, InfoEndpointAutoConfiguration.class,
-				WebEndpointAutoConfiguration.class, ReactiveOAuth2ClientAutoConfiguration.class,
+				WebEndpointAutoConfiguration.class, ReactiveOAuth2ClientWebSecurityAutoConfiguration.class,
 				ReactiveOAuth2ResourceServerAutoConfiguration.class,
 				ReactiveUserDetailsServiceAutoConfiguration.class })
 @ConditionalOnClass({ EnableWebFluxSecurity.class, WebFilterChainProxy.class })

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2024 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,7 +26,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.security.ConditionalOnDefaultWebSecurity;
 import org.springframework.boot.autoconfigure.security.SecurityProperties;
-import org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration;
+import org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientWebSecurityAutoConfiguration;
 import org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration;
 import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyAutoConfiguration;
 import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
@@ -53,7 +53,7 @@
  */
 @AutoConfiguration(before = SecurityAutoConfiguration.class,
 		after = { HealthEndpointAutoConfiguration.class, InfoEndpointAutoConfiguration.class,
-				WebEndpointAutoConfiguration.class, OAuth2ClientAutoConfiguration.class,
+				WebEndpointAutoConfiguration.class, OAuth2ClientWebSecurityAutoConfiguration.class,
 				OAuth2ResourceServerAutoConfiguration.class, Saml2RelyingPartyAutoConfiguration.class })
 @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
 @ConditionalOnDefaultWebSecurity

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2ClientAutoConfiguration.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright 2012-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.autoconfigure.security.oauth2.client;
+
+import org.springframework.boot.autoconfigure.AutoConfiguration;
+import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
+import org.springframework.boot.autoconfigure.condition.NoneNestedConditions;
+import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientAutoConfiguration.NonReactiveWebApplicationCondition;
+import org.springframework.context.annotation.Conditional;
+import org.springframework.context.annotation.Import;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+
+/**
+ * {@link EnableAutoConfiguration Auto-configuration} for OAuth client support.
+ *
+ * @author Madhura Bhave
+ * @author Phillip Webb
+ * @since 3.5.0
+ */
+@AutoConfiguration
+@Conditional(NonReactiveWebApplicationCondition.class)
+@ConditionalOnClass(ClientRegistration.class)
+@Import({ OAuth2ClientConfigurations.ClientRegistrationRepositoryConfiguration.class,
+		OAuth2ClientConfigurations.OAuth2AuthorizedClientServiceConfiguration.class })
+public class OAuth2ClientAutoConfiguration {
+
+	static class NonReactiveWebApplicationCondition extends NoneNestedConditions {
+
+		NonReactiveWebApplicationCondition() {
+			super(ConfigurationPhase.PARSE_CONFIGURATION);
+		}
+
+		@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)
+		static class ReactiveWebApplicationCondition {
+
+		}
+
+	}
+
+}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2ClientRegistrationRepositoryConfiguration.java renamed to spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2ClientConfigurations.java

@@ -14,39 +14,56 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.autoconfigure.security.oauth2.client.servlet;
+package org.springframework.boot.autoconfigure.security.oauth2.client;
 
 import java.util.ArrayList;
 import java.util.List;
 
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
-import org.springframework.boot.autoconfigure.security.oauth2.client.ConditionalOnOAuth2ClientRegistrationProperties;
-import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties;
-import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesMapper;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.oauth2.client.InMemoryOAuth2AuthorizedClientService;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
 
 /**
- * {@link Configuration @Configuration} used to map {@link OAuth2ClientProperties} to
- * client registrations.
+ * Configurations related to auto-configuration of OAuth2 client support.
  *
  * @author Madhura Bhave
+ * @author Andy Wilkinson
  */
-@Configuration(proxyBeanMethods = false)
-@EnableConfigurationProperties(OAuth2ClientProperties.class)
-@ConditionalOnOAuth2ClientRegistrationProperties
-class OAuth2ClientRegistrationRepositoryConfiguration {
+class OAuth2ClientConfigurations {
 
-	@Bean
+	@Configuration(proxyBeanMethods = false)
+	@ConditionalOnOAuth2ClientRegistrationProperties
+	@EnableConfigurationProperties(OAuth2ClientProperties.class)
 	@ConditionalOnMissingBean(ClientRegistrationRepository.class)
-	InMemoryClientRegistrationRepository clientRegistrationRepository(OAuth2ClientProperties properties) {
-		List<ClientRegistration> registrations = new ArrayList<>(
-				new OAuth2ClientPropertiesMapper(properties).asClientRegistrations().values());
-		return new InMemoryClientRegistrationRepository(registrations);
+	static class ClientRegistrationRepositoryConfiguration {
+
+		@Bean
+		InMemoryClientRegistrationRepository clientRegistrationRepository(OAuth2ClientProperties properties) {
+			List<ClientRegistration> registrations = new ArrayList<>(
+					new OAuth2ClientPropertiesMapper(properties).asClientRegistrations().values());
+			return new InMemoryClientRegistrationRepository(registrations);
+		}
+
+	}
+
+	@Configuration(proxyBeanMethods = false)
+	@ConditionalOnBean(ClientRegistrationRepository.class)
+	static class OAuth2AuthorizedClientServiceConfiguration {
+
+		@Bean
+		@ConditionalOnMissingBean
+		OAuth2AuthorizedClientService authorizedClientService(
+				ClientRegistrationRepository clientRegistrationRepository) {
+			return new InMemoryOAuth2AuthorizedClientService(clientRegistrationRepository);
+		}
+
 	}
 
 }

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/reactive/ReactiveOAuth2ClientAutoConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2022 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,12 +23,8 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.NoneNestedConditions;
-import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties;
-import org.springframework.boot.autoconfigure.security.reactive.ReactiveSecurityAutoConfiguration;
-import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Conditional;
 import org.springframework.context.annotation.Import;
-import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 
 /**
@@ -38,12 +34,11 @@
  * @author Madhura Bhave
  * @since 2.1.0
  */
-@AutoConfiguration(before = ReactiveSecurityAutoConfiguration.class)
-@EnableConfigurationProperties(OAuth2ClientProperties.class)
+@AutoConfiguration
 @Conditional(ReactiveOAuth2ClientAutoConfiguration.NonServletApplicationCondition.class)
-@ConditionalOnClass({ Flux.class, EnableWebFluxSecurity.class, ClientRegistration.class })
+@ConditionalOnClass({ Flux.class, ClientRegistration.class })
 @Import({ ReactiveOAuth2ClientConfigurations.ReactiveClientRegistrationRepositoryConfiguration.class,
-		ReactiveOAuth2ClientConfigurations.ReactiveOAuth2ClientConfiguration.class })
+		ReactiveOAuth2ClientConfigurations.ReactiveOAuth2AuthorizedClientServiceConfiguration.class })
 public class ReactiveOAuth2ClientAutoConfiguration {
 
 	static class NonServletApplicationCondition extends NoneNestedConditions {

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/reactive/ReactiveOAuth2ClientConfigurations.java

@@ -21,23 +21,17 @@
 
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.security.oauth2.client.ConditionalOnOAuth2ClientRegistrationProperties;
 import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties;
 import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesMapper;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.oauth2.client.InMemoryReactiveOAuth2AuthorizedClientService;
 import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientService;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.InMemoryReactiveClientRegistrationRepository;
 import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
-import org.springframework.security.oauth2.client.web.server.AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository;
-import org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizedClientRepository;
-import org.springframework.security.web.server.SecurityWebFilterChain;
-
-import static org.springframework.security.config.Customizer.withDefaults;
 
 /**
  * Reactive OAuth2 Client configurations.
@@ -47,12 +41,14 @@
 class ReactiveOAuth2ClientConfigurations {
 
 	@Configuration(proxyBeanMethods = false)
+	@EnableConfigurationProperties(OAuth2ClientProperties.class)
 	@ConditionalOnOAuth2ClientRegistrationProperties
 	@ConditionalOnMissingBean(ReactiveClientRegistrationRepository.class)
 	static class ReactiveClientRegistrationRepositoryConfiguration {
 
 		@Bean
-		InMemoryReactiveClientRegistrationRepository clientRegistrationRepository(OAuth2ClientProperties properties) {
+		InMemoryReactiveClientRegistrationRepository reactiveClientRegistrationRepository(
+				OAuth2ClientProperties properties) {
 			List<ClientRegistration> registrations = new ArrayList<>(
 					new OAuth2ClientPropertiesMapper(properties).asClientRegistrations().values());
 			return new InMemoryReactiveClientRegistrationRepository(registrations);
@@ -62,37 +58,15 @@ InMemoryReactiveClientRegistrationRepository clientRegistrationRepository(OAuth2
 
 	@Configuration(proxyBeanMethods = false)
 	@ConditionalOnBean(ReactiveClientRegistrationRepository.class)
-	static class ReactiveOAuth2ClientConfiguration {
+	static class ReactiveOAuth2AuthorizedClientServiceConfiguration {
 
 		@Bean
 		@ConditionalOnMissingBean
-		ReactiveOAuth2AuthorizedClientService authorizedClientService(
+		ReactiveOAuth2AuthorizedClientService reactiveAuthorizedClientService(
 				ReactiveClientRegistrationRepository clientRegistrationRepository) {
 			return new InMemoryReactiveOAuth2AuthorizedClientService(clientRegistrationRepository);
 		}
 
-		@Bean
-		@ConditionalOnMissingBean
-		ServerOAuth2AuthorizedClientRepository authorizedClientRepository(
-				ReactiveOAuth2AuthorizedClientService authorizedClientService) {
-			return new AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository(authorizedClientService);
-		}
-
-		@Configuration(proxyBeanMethods = false)
-		@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)
-		static class SecurityWebFilterChainConfiguration {
-
-			@Bean
-			@ConditionalOnMissingBean
-			SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
-				http.authorizeExchange((exchange) -> exchange.anyExchange().authenticated());
-				http.oauth2Login(withDefaults());
-				http.oauth2Client(withDefaults());
-				return http.build();
-			}
-
-		}
-
 	}
 
 }

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/reactive/ReactiveOAuth2ClientWebSecurityAutoConfiguration.java

@@ -0,0 +1,68 @@
+/*
+ * Copyright 2012-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.autoconfigure.security.oauth2.client.reactive;
+
+import reactor.core.publisher.Flux;
+
+import org.springframework.boot.autoconfigure.AutoConfiguration;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
+import org.springframework.boot.autoconfigure.security.reactive.ReactiveSecurityAutoConfiguration;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientService;
+import org.springframework.security.oauth2.client.web.server.AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizedClientRepository;
+import org.springframework.security.web.server.SecurityWebFilterChain;
+
+import static org.springframework.security.config.Customizer.withDefaults;
+
+/**
+ * Auto-configuration for reactive web security that uses an OAuth 2 client.
+ *
+ * @author Madhura Bhave
+ * @author Phillip Webb
+ * @author Andy Wilkinson
+ * @since 3.5.0
+ */
+@AutoConfiguration(before = ReactiveSecurityAutoConfiguration.class,
+		after = ReactiveOAuth2ClientAutoConfiguration.class)
+@ConditionalOnClass({ Flux.class, EnableWebFluxSecurity.class, ServerOAuth2AuthorizedClientRepository.class })
+@ConditionalOnBean(ReactiveOAuth2AuthorizedClientService.class)
+@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)
+public class ReactiveOAuth2ClientWebSecurityAutoConfiguration {
+
+	@Bean
+	@ConditionalOnMissingBean
+	ServerOAuth2AuthorizedClientRepository authorizedClientRepository(
+			ReactiveOAuth2AuthorizedClientService authorizedClientService) {
+		return new AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository(authorizedClientService);
+	}
+
+	@Bean
+	@ConditionalOnMissingBean
+	SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+		http.authorizeExchange((exchange) -> exchange.anyExchange().authenticated());
+		http.oauth2Login(withDefaults());
+		http.oauth2Client(withDefaults());
+		return http.build();
+	}
+
+}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2ClientAutoConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2022 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,26 +16,18 @@
 
 package org.springframework.boot.autoconfigure.security.oauth2.client.servlet;
 
-import org.springframework.boot.autoconfigure.AutoConfiguration;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
-import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
-import org.springframework.context.annotation.Import;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.oauth2.client.registration.ClientRegistration;
 
 /**
  * {@link EnableAutoConfiguration Auto-configuration} for OAuth client support.
  *
  * @author Madhura Bhave
  * @author Phillip Webb
  * @since 2.0.0
+ * @deprecated since 3.5.0 for removal in 4.0.0 in favor of
+ * {@link org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientAutoConfiguration}
  */
-@AutoConfiguration(before = SecurityAutoConfiguration.class)
-@ConditionalOnClass({ EnableWebSecurity.class, ClientRegistration.class })
-@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
-@Import({ OAuth2ClientRegistrationRepositoryConfiguration.class, OAuth2WebSecurityConfiguration.class })
+@Deprecated(since = "3.5.0", forRemoval = true)
 public class OAuth2ClientAutoConfiguration {
 
 }