Separate OAuth 2.0 Client Reactive Docs

Issue gh-10367
4 years ago · 50196537e1
6 changed files with 991 additions and 1014 deletions
--- a/docs/modules/ROOT/nav.adoc
+++ b/docs/modules/ROOT/nav.adoc
@ -121,7 +121,11 @@
 *** xref:reactive/authorization/method.adoc[EnableReactiveMethodSecurity]
 ** xref:reactive/oauth2/index.adoc[OAuth2]
 *** xref:reactive/oauth2/login.adoc[OAuth2 Log In]
-*** xref:reactive/oauth2/oauth2-client.adoc[OAuth2 Client]
+*** xref:reactive/oauth2/client/index.adoc[OAuth2 Client]
 **** xref:reactive/oauth2/client/core.adoc[Core Interfaces and Classes]
 **** xref:reactive/oauth2/client/authorization-grants.adoc[OAuth2 Authorization Grants]
 **** xref:reactive/oauth2/client/client-authentication.adoc[OAuth2 Client Authentication]
 **** xref:reactive/oauth2/client/authorized-clients.adoc[OAuth2 Authorized Clients]
 *** xref:reactive/oauth2/resource-server/index.adoc[OAuth2 Resource Server]
 **** xref:reactive/oauth2/resource-server/jwt.adoc[JWT]
 **** xref:reactive/oauth2/resource-server/opaque-token.adoc[Opaque Token]
--- a/docs/modules/ROOT/pages/reactive/oauth2/client/authorization-grants.adoc
+++ b/docs/modules/ROOT/pages/reactive/oauth2/client/authorization-grants.adoc
--- a/docs/modules/ROOT/pages/reactive/oauth2/client/authorized-clients.adoc
+++ b/docs/modules/ROOT/pages/reactive/oauth2/client/authorized-clients.adoc
@ -0,0 +1,250 @@
 [[oauth2Client-additional-features]]
 = Authorized Clients
 [[oauth2Client-registered-authorized-client]]
 == Resolving an Authorized Client
 The `@RegisteredOAuth2AuthorizedClient` annotation provides the capability of resolving a method parameter to an argument value of type `OAuth2AuthorizedClient`.
 This is a convenient alternative compared to accessing the `OAuth2AuthorizedClient` using the `ReactiveOAuth2AuthorizedClientManager` or `ReactiveOAuth2AuthorizedClientService`.
 ====
 .Java
 [source,java,role="primary"]
 ----
@Controller
 public class OAuth2ClientController {
 	@GetMapping("/")
 	public Mono<String> index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
 		return Mono.just(authorizedClient.getAccessToken())
 				...
 				.thenReturn("index");
 	}
 }
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
@Controller
 class OAuth2ClientController {
    @GetMapping("/")
    fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): Mono<String> {
        return Mono.just(authorizedClient.accessToken)
                ...
                .thenReturn("index")
    }
 }
 ----
 ====
 The `@RegisteredOAuth2AuthorizedClient` annotation is handled by `OAuth2AuthorizedClientArgumentResolver`, which directly uses a <<oauth2Client-authorized-manager-provider, ReactiveOAuth2AuthorizedClientManager>> and therefore inherits it's capabilities.
 [[oauth2Client-webclient-webflux]]
 == WebClient integration for Reactive Environments
 The OAuth 2.0 Client support integrates with `WebClient` using an `ExchangeFilterFunction`.
 The `ServerOAuth2AuthorizedClientExchangeFilterFunction` provides a simple mechanism for requesting protected resources by using an `OAuth2AuthorizedClient` and including the associated `OAuth2AccessToken` as a Bearer Token.
 It directly uses an <<oauth2Client-authorized-manager-provider, ReactiveOAuth2AuthorizedClientManager>> and therefore inherits the following capabilities:
 * An `OAuth2AccessToken` will be requested if the client has not yet been authorized.
 ** `authorization_code` - triggers the Authorization Request redirect to initiate the flow
 ** `client_credentials` - the access token is obtained directly from the Token Endpoint
 ** `password` - the access token is obtained directly from the Token Endpoint
 * If the `OAuth2AccessToken` is expired, it will be refreshed (or renewed) if a `ReactiveOAuth2AuthorizedClientProvider` is available to perform the authorization
 The following code shows an example of how to configure `WebClient` with OAuth 2.0 Client support:
 ====
 .Java
 [source,java,role="primary"]
 ----
@Bean
 WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
 	ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
 			new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
 	return WebClient.builder()
 			.filter(oauth2Client)
 			.build();
 }
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
@Bean
 fun webClient(authorizedClientManager: ReactiveOAuth2AuthorizedClientManager): WebClient {
    val oauth2Client = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
    return WebClient.builder()
            .filter(oauth2Client)
            .build()
 }
 ----
 ====
 === Providing the Authorized Client
 The `ServerOAuth2AuthorizedClientExchangeFilterFunction` determines the client to use (for a request) by resolving the `OAuth2AuthorizedClient` from the `ClientRequest.attributes()` (request attributes).
 The following code shows how to set an `OAuth2AuthorizedClient` as a request attribute:
 ====
 .Java
 [source,java,role="primary"]
 ----
@GetMapping("/")
 public Mono<String> index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
 	String resourceUri = ...
 	return webClient
 			.get()
 			.uri(resourceUri)
 			.attributes(oauth2AuthorizedClient(authorizedClient))   <1>
 			.retrieve()
 			.bodyToMono(String.class)
 			...
 			.thenReturn("index");
 }
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
@GetMapping("/")
 fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): Mono<String> {
    val resourceUri: String = ...
    return webClient
            .get()
            .uri(resourceUri)
            .attributes(oauth2AuthorizedClient(authorizedClient)) <1>
            .retrieve()
            .bodyToMono<String>()
            ...
            .thenReturn("index")
 }
 ----
 ====
 <1> `oauth2AuthorizedClient()` is a `static` method in `ServerOAuth2AuthorizedClientExchangeFilterFunction`.
 The following code shows how to set the `ClientRegistration.getRegistrationId()` as a request attribute:
 ====
 .Java
 [source,java,role="primary"]
 ----
@GetMapping("/")
 public Mono<String> index() {
 	String resourceUri = ...
 	return webClient
 			.get()
 			.uri(resourceUri)
 			.attributes(clientRegistrationId("okta"))   <1>
 			.retrieve()
 			.bodyToMono(String.class)
 			...
 			.thenReturn("index");
 }
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
@GetMapping("/")
 fun index(): Mono<String> {
    val resourceUri: String = ...
    return webClient
            .get()
            .uri(resourceUri)
            .attributes(clientRegistrationId("okta"))  <1>
            .retrieve()
            .bodyToMono<String>()
            ...
            .thenReturn("index")
 }
 ----
 ====
 <1> `clientRegistrationId()` is a `static` method in `ServerOAuth2AuthorizedClientExchangeFilterFunction`.
 === Defaulting the Authorized Client
 If neither `OAuth2AuthorizedClient` or `ClientRegistration.getRegistrationId()` is provided as a request attribute, the `ServerOAuth2AuthorizedClientExchangeFilterFunction` can determine the _default_ client to use depending on it's configuration.
 If `setDefaultOAuth2AuthorizedClient(true)` is configured and the user has authenticated using `ServerHttpSecurity.oauth2Login()`, the `OAuth2AccessToken` associated with the current `OAuth2AuthenticationToken` is used.
 The following code shows the specific configuration:
 ====
 .Java
 [source,java,role="primary"]
 ----
@Bean
 WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
 	ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
 			new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
 	oauth2Client.setDefaultOAuth2AuthorizedClient(true);
 	return WebClient.builder()
 			.filter(oauth2Client)
 			.build();
 }
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
@Bean
 fun webClient(authorizedClientManager: ReactiveOAuth2AuthorizedClientManager): WebClient {
    val oauth2Client = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
    oauth2Client.setDefaultOAuth2AuthorizedClient(true)
    return WebClient.builder()
            .filter(oauth2Client)
            .build()
 }
 ----
 ====
 [WARNING]
 It is recommended to be cautious with this feature since all HTTP requests will receive the access token.
 Alternatively, if `setDefaultClientRegistrationId("okta")` is configured with a valid `ClientRegistration`, the `OAuth2AccessToken` associated with the `OAuth2AuthorizedClient` is used.
 The following code shows the specific configuration:
 ====
 .Java
 [source,java,role="primary"]
 ----
@Bean
 WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
 	ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
 			new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
 	oauth2Client.setDefaultClientRegistrationId("okta");
 	return WebClient.builder()
 			.filter(oauth2Client)
 			.build();
 }
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
@Bean
 fun webClient(authorizedClientManager: ReactiveOAuth2AuthorizedClientManager): WebClient {
    val oauth2Client = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
    oauth2Client.setDefaultClientRegistrationId("okta")
    return WebClient.builder()
            .filter(oauth2Client)
            .build()
 }
 ----
 ====
 [WARNING]
 It is recommended to be cautious with this feature since all HTTP requests will receive the access token.
--- a/docs/modules/ROOT/pages/reactive/oauth2/client/client-authentication.adoc
+++ b/docs/modules/ROOT/pages/reactive/oauth2/client/client-authentication.adoc
@ -0,0 +1,151 @@
 [[oauth2Client-client-auth-support]]
 = Client Authentication Support
 [[oauth2Client-jwt-bearer-auth]]
 == JWT Bearer
 [NOTE]
 Please refer to JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants for further details on https://datatracker.ietf.org/doc/html/rfc7523#section-2.2[JWT Bearer] Client Authentication.
 The default implementation for JWT Bearer Client Authentication is `NimbusJwtClientAuthenticationParametersConverter`,
 which is a `Converter` that customizes the Token Request parameters by adding
 a signed JSON Web Token (JWS) in the `client_assertion` parameter.
 The `java.security.PrivateKey` or `javax.crypto.SecretKey` used for signing the JWS
 is supplied by the `com.nimbusds.jose.jwk.JWK` resolver associated with `NimbusJwtClientAuthenticationParametersConverter`.
 === Authenticate using `private_key_jwt`
 Given the following Spring Boot 2.x properties for an OAuth 2.0 Client registration:
 [source,yaml]
 ----
 spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-authentication-method: private_key_jwt
            authorization-grant-type: authorization_code
            ...
 ----
 The following example shows how to configure `WebClientReactiveAuthorizationCodeTokenResponseClient`:
 ====
 .Java
 [source,java,role="primary"]
 ----
 Function<ClientRegistration, JWK> jwkResolver = (clientRegistration) -> {
 	if (clientRegistration.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.PRIVATE_KEY_JWT)) {
 		// Assuming RSA key type
 		RSAPublicKey publicKey = ...
 		RSAPrivateKey privateKey = ...
 		return new RSAKey.Builder(publicKey)
 				.privateKey(privateKey)
 				.keyID(UUID.randomUUID().toString())
 				.build();
 	}
 	return null;
 };
 WebClientReactiveAuthorizationCodeTokenResponseClient tokenResponseClient =
 		new WebClientReactiveAuthorizationCodeTokenResponseClient();
 tokenResponseClient.addParametersConverter(
 		new NimbusJwtClientAuthenticationParametersConverter<>(jwkResolver));
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
 val jwkResolver: Function<ClientRegistration, JWK> =
    Function<ClientRegistration, JWK> { clientRegistration ->
        if (clientRegistration.clientAuthenticationMethod.equals(ClientAuthenticationMethod.PRIVATE_KEY_JWT)) {
            // Assuming RSA key type
            var publicKey: RSAPublicKey = ...
            var privateKey: RSAPrivateKey = ...
            RSAKey.Builder(publicKey)
                    .privateKey(privateKey)
                    .keyID(UUID.randomUUID().toString())
                .build()
        }
        null
    }
 val tokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
 tokenResponseClient.addParametersConverter(
    NimbusJwtClientAuthenticationParametersConverter(jwkResolver)
 )
 ----
 ====
 === Authenticate using `client_secret_jwt`
 Given the following Spring Boot 2.x properties for an OAuth 2.0 Client registration:
 [source,yaml]
 ----
 spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-secret: okta-client-secret
            client-authentication-method: client_secret_jwt
            authorization-grant-type: client_credentials
            ...
 ----
 The following example shows how to configure `WebClientReactiveClientCredentialsTokenResponseClient`:
 ====
 .Java
 [source,java,role="primary"]
 ----
 Function<ClientRegistration, JWK> jwkResolver = (clientRegistration) -> {
 	if (clientRegistration.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.CLIENT_SECRET_JWT)) {
 		SecretKeySpec secretKey = new SecretKeySpec(
 				clientRegistration.getClientSecret().getBytes(StandardCharsets.UTF_8),
 				"HmacSHA256");
 		return new OctetSequenceKey.Builder(secretKey)
 				.keyID(UUID.randomUUID().toString())
 				.build();
 	}
 	return null;
 };
 WebClientReactiveClientCredentialsTokenResponseClient tokenResponseClient =
 		new WebClientReactiveClientCredentialsTokenResponseClient();
 tokenResponseClient.addParametersConverter(
 		new NimbusJwtClientAuthenticationParametersConverter<>(jwkResolver));
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
 val jwkResolver = Function<ClientRegistration, JWK?> { clientRegistration: ClientRegistration ->
    if (clientRegistration.clientAuthenticationMethod == ClientAuthenticationMethod.CLIENT_SECRET_JWT) {
        val secretKey = SecretKeySpec(
            clientRegistration.clientSecret.toByteArray(StandardCharsets.UTF_8),
            "HmacSHA256"
        )
        OctetSequenceKey.Builder(secretKey)
            .keyID(UUID.randomUUID().toString())
            .build()
    }
    null
 }
 val tokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
 tokenResponseClient.addParametersConverter(
    NimbusJwtClientAuthenticationParametersConverter(jwkResolver)
 )
 ----
 ====
--- a/docs/modules/ROOT/pages/reactive/oauth2/client/core.adoc
+++ b/docs/modules/ROOT/pages/reactive/oauth2/client/core.adoc
@ -0,0 +1,429 @@
 [[oauth2Client-core-interface-class]]
 = Core Interfaces / Classes
 [[oauth2Client-client-registration]]
 == ClientRegistration
 `ClientRegistration` is a representation of a client registered with an OAuth 2.0 or OpenID Connect 1.0 Provider.
 A client registration holds information, such as client id, client secret, authorization grant type, redirect URI, scope(s), authorization URI, token URI, and other details.
 `ClientRegistration` and its properties are defined as follows:
 [source,java]
 ----
 public final class ClientRegistration {
 	private String registrationId;	<1>
 	private String clientId;	<2>
 	private String clientSecret;	<3>
 	private ClientAuthenticationMethod clientAuthenticationMethod;	<4>
 	private AuthorizationGrantType authorizationGrantType;	<5>
 	private String redirectUri;	<6>
 	private Set<String> scopes;	<7>
 	private ProviderDetails providerDetails;
 	private String clientName;	<8>
 	public class ProviderDetails {
 		private String authorizationUri;	<9>
 		private String tokenUri;	<10>
 		private UserInfoEndpoint userInfoEndpoint;
 		private String jwkSetUri;	<11>
 		private String issuerUri;	<12>
 		private Map<String, Object> configurationMetadata;  <13>
 		public class UserInfoEndpoint {
 			private String uri;	<14>
 			private AuthenticationMethod authenticationMethod;  <15>
 			private String userNameAttributeName;	<16>
 		}
 	}
 }
 ----
 <1> `registrationId`: The ID that uniquely identifies the `ClientRegistration`.
 <2> `clientId`: The client identifier.
 <3> `clientSecret`: The client secret.
 <4> `clientAuthenticationMethod`: The method used to authenticate the Client with the Provider.
 The supported values are *client_secret_basic*, *client_secret_post*, *private_key_jwt*, *client_secret_jwt* and *none* https://tools.ietf.org/html/rfc6749#section-2.1[(public clients)].
 <5> `authorizationGrantType`: The OAuth 2.0 Authorization Framework defines four https://tools.ietf.org/html/rfc6749#section-1.3[Authorization Grant] types.
 The supported values are `authorization_code`, `client_credentials`, `password`, as well as, extension grant type `urn:ietf:params:oauth:grant-type:jwt-bearer`.
 <6> `redirectUri`: The client's registered redirect URI that the _Authorization Server_ redirects the end-user's user-agent
 to after the end-user has authenticated and authorized access to the client.
 <7> `scopes`: The scope(s) requested by the client during the Authorization Request flow, such as openid, email, or profile.
 <8> `clientName`: A descriptive name used for the client.
 The name may be used in certain scenarios, such as when displaying the name of the client in the auto-generated login page.
 <9> `authorizationUri`: The Authorization Endpoint URI for the Authorization Server.
 <10> `tokenUri`: The Token Endpoint URI for the Authorization Server.
 <11> `jwkSetUri`: The URI used to retrieve the https://tools.ietf.org/html/rfc7517[JSON Web Key (JWK)] Set from the Authorization Server,
 which contains the cryptographic key(s) used to verify the https://tools.ietf.org/html/rfc7515[JSON Web Signature (JWS)] of the ID Token and optionally the UserInfo Response.
 <12> `issuerUri`: Returns the issuer identifier uri for the OpenID Connect 1.0 provider or the OAuth 2.0 Authorization Server.
 <13> `configurationMetadata`: The https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig[OpenID Provider Configuration Information].
 This information will only be available if the Spring Boot 2.x property `spring.security.oauth2.client.provider.[providerId].issuerUri` is configured.
 <14> `(userInfoEndpoint)uri`: The UserInfo Endpoint URI used to access the claims/attributes of the authenticated end-user.
 <15> `(userInfoEndpoint)authenticationMethod`: The authentication method used when sending the access token to the UserInfo Endpoint.
 The supported values are *header*, *form* and *query*.
 <16> `userNameAttributeName`: The name of the attribute returned in the UserInfo Response that references the Name or Identifier of the end-user.
 A `ClientRegistration` can be initially configured using discovery of an OpenID Connect Provider's https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig[Configuration endpoint] or an Authorization Server's https://tools.ietf.org/html/rfc8414#section-3[Metadata endpoint].
 `ClientRegistrations` provides convenience methods for configuring a `ClientRegistration` in this way, as can be seen in the following example:
 ====
 .Java
 [source,java,role="primary"]
 ----
 ClientRegistration clientRegistration =
 	ClientRegistrations.fromIssuerLocation("https://idp.example.com/issuer").build();
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
 val clientRegistration = ClientRegistrations.fromIssuerLocation("https://idp.example.com/issuer").build()
 ----
 ====
 The above code will query in series `https://idp.example.com/issuer/.well-known/openid-configuration`, and then `https://idp.example.com/.well-known/openid-configuration/issuer`, and finally `https://idp.example.com/.well-known/oauth-authorization-server/issuer`, stopping at the first to return a 200 response.
 As an alternative, you can use `ClientRegistrations.fromOidcIssuerLocation()` to only query the OpenID Connect Provider's Configuration endpoint.
 [[oauth2Client-client-registration-repo]]
 == ReactiveClientRegistrationRepository
 The `ReactiveClientRegistrationRepository` serves as a repository for OAuth 2.0 / OpenID Connect 1.0 `ClientRegistration`(s).
 [NOTE]
 Client registration information is ultimately stored and owned by the associated Authorization Server.
 This repository provides the ability to retrieve a sub-set of the primary client registration information, which is stored with the Authorization Server.
 Spring Boot 2.x auto-configuration binds each of the properties under `spring.security.oauth2.client.registration._[registrationId]_` to an instance of `ClientRegistration` and then composes each of the `ClientRegistration` instance(s) within a `ReactiveClientRegistrationRepository`.
 [NOTE]
 The default implementation of `ReactiveClientRegistrationRepository` is `InMemoryReactiveClientRegistrationRepository`.
 The auto-configuration also registers the `ReactiveClientRegistrationRepository` as a `@Bean` in the `ApplicationContext` so that it is available for dependency-injection, if needed by the application.
 The following listing shows an example:
 ====
 .Java
 [source,java,role="primary"]
 ----
@Controller
 public class OAuth2ClientController {
 	@Autowired
 	private ReactiveClientRegistrationRepository clientRegistrationRepository;
 	@GetMapping("/")
 	public Mono<String> index() {
 		return this.clientRegistrationRepository.findByRegistrationId("okta")
 				...
 				.thenReturn("index");
 	}
 }
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
@Controller
 class OAuth2ClientController {
    @Autowired
    private lateinit var clientRegistrationRepository: ReactiveClientRegistrationRepository
    @GetMapping("/")
    fun index(): Mono<String> {
        return this.clientRegistrationRepository.findByRegistrationId("okta")
            ...
            .thenReturn("index")
    }
 }
 ----
 ====
 [[oauth2Client-authorized-client]]
 == OAuth2AuthorizedClient
 `OAuth2AuthorizedClient` is a representation of an Authorized Client.
 A client is considered to be authorized when the end-user (Resource Owner) has granted authorization to the client to access its protected resources.
 `OAuth2AuthorizedClient` serves the purpose of associating an `OAuth2AccessToken` (and optional `OAuth2RefreshToken`) to a `ClientRegistration` (client) and resource owner, who is the `Principal` end-user that granted the authorization.
 [[oauth2Client-authorized-repo-service]]
 == ServerOAuth2AuthorizedClientRepository / ReactiveOAuth2AuthorizedClientService
 `ServerOAuth2AuthorizedClientRepository` is responsible for persisting `OAuth2AuthorizedClient`(s) between web requests.
 Whereas, the primary role of `ReactiveOAuth2AuthorizedClientService` is to manage `OAuth2AuthorizedClient`(s) at the application-level.
 From a developer perspective, the `ServerOAuth2AuthorizedClientRepository` or `ReactiveOAuth2AuthorizedClientService` provides the capability to lookup an `OAuth2AccessToken` associated with a client so that it may be used to initiate a protected resource request.
 The following listing shows an example:
 ====
 .Java
 [source,java,role="primary"]
 ----
@Controller
 public class OAuth2ClientController {
 	@Autowired
 	private ReactiveOAuth2AuthorizedClientService authorizedClientService;
 	@GetMapping("/")
 	public Mono<String> index(Authentication authentication) {
 		return this.authorizedClientService.loadAuthorizedClient("okta", authentication.getName())
 				.map(OAuth2AuthorizedClient::getAccessToken)
 				...
 				.thenReturn("index");
 	}
 }
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
@Controller
 class OAuth2ClientController {
    @Autowired
    private lateinit var authorizedClientService: ReactiveOAuth2AuthorizedClientService
    @GetMapping("/")
    fun index(authentication: Authentication): Mono<String> {
        return this.authorizedClientService.loadAuthorizedClient<OAuth2AuthorizedClient>("okta", authentication.name)
            .map { it.accessToken }
            ...
            .thenReturn("index")
    }
 }
 ----
 ====
 [NOTE]
 Spring Boot 2.x auto-configuration registers an `ServerOAuth2AuthorizedClientRepository` and/or `ReactiveOAuth2AuthorizedClientService` `@Bean` in the `ApplicationContext`.
 However, the application may choose to override and register a custom `ServerOAuth2AuthorizedClientRepository` or `ReactiveOAuth2AuthorizedClientService` `@Bean`.
 The default implementation of `ReactiveOAuth2AuthorizedClientService` is `InMemoryReactiveOAuth2AuthorizedClientService`, which stores `OAuth2AuthorizedClient`(s) in-memory.
 Alternatively, the R2DBC implementation `R2dbcReactiveOAuth2AuthorizedClientService` may be configured for persisting `OAuth2AuthorizedClient`(s) in a database.
 [NOTE]
 `R2dbcReactiveOAuth2AuthorizedClientService` depends on the table definition described in xref:servlet/appendix/database-schema.adoc#dbschema-oauth2-client[ OAuth 2.0 Client Schema].
 [[oauth2Client-authorized-manager-provider]]
 == ReactiveOAuth2AuthorizedClientManager / ReactiveOAuth2AuthorizedClientProvider
 The `ReactiveOAuth2AuthorizedClientManager` is responsible for the overall management of `OAuth2AuthorizedClient`(s).
 The primary responsibilities include:
 * Authorizing (or re-authorizing) an OAuth 2.0 Client, using a `ReactiveOAuth2AuthorizedClientProvider`.
 * Delegating the persistence of an `OAuth2AuthorizedClient`, typically using a `ReactiveOAuth2AuthorizedClientService` or `ServerOAuth2AuthorizedClientRepository`.
 * Delegating to a `ReactiveOAuth2AuthorizationSuccessHandler` when an OAuth 2.0 Client has been successfully authorized (or re-authorized).
 * Delegating to a `ReactiveOAuth2AuthorizationFailureHandler` when an OAuth 2.0 Client fails to authorize (or re-authorize).
 A `ReactiveOAuth2AuthorizedClientProvider` implements a strategy for authorizing (or re-authorizing) an OAuth 2.0 Client.
 Implementations will typically implement an authorization grant type, eg. `authorization_code`, `client_credentials`, etc.
 The default implementation of `ReactiveOAuth2AuthorizedClientManager` is `DefaultReactiveOAuth2AuthorizedClientManager`, which is associated with a `ReactiveOAuth2AuthorizedClientProvider` that may support multiple authorization grant types using a delegation-based composite.
 The `ReactiveOAuth2AuthorizedClientProviderBuilder` may be used to configure and build the delegation-based composite.
 The following code shows an example of how to configure and build a `ReactiveOAuth2AuthorizedClientProvider` composite that provides support for the `authorization_code`, `refresh_token`, `client_credentials` and `password` authorization grant types:
 ====
 .Java
 [source,java,role="primary"]
 ----
@Bean
 public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
 		ReactiveClientRegistrationRepository clientRegistrationRepository,
 		ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
 	ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
 			ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
 					.authorizationCode()
 					.refreshToken()
 					.clientCredentials()
 					.password()
 					.build();
 	DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
 			new DefaultReactiveOAuth2AuthorizedClientManager(
 					clientRegistrationRepository, authorizedClientRepository);
 	authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
 	return authorizedClientManager;
 }
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
@Bean
 fun authorizedClientManager(
        clientRegistrationRepository: ReactiveClientRegistrationRepository,
        authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
    val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
            .authorizationCode()
            .refreshToken()
            .clientCredentials()
            .password()
            .build()
    val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
            clientRegistrationRepository, authorizedClientRepository)
    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
    return authorizedClientManager
 }
 ----
 ====
 When an authorization attempt succeeds, the `DefaultReactiveOAuth2AuthorizedClientManager` will delegate to the `ReactiveOAuth2AuthorizationSuccessHandler`, which (by default) will save the `OAuth2AuthorizedClient` via the `ServerOAuth2AuthorizedClientRepository`.
 In the case of a re-authorization failure, eg. a refresh token is no longer valid, the previously saved `OAuth2AuthorizedClient` will be removed from the `ServerOAuth2AuthorizedClientRepository` via the `RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler`.
 The default behaviour may be customized via `setAuthorizationSuccessHandler(ReactiveOAuth2AuthorizationSuccessHandler)` and `setAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler)`.
 The `DefaultReactiveOAuth2AuthorizedClientManager` is also associated with a `contextAttributesMapper` of type `Function<OAuth2AuthorizeRequest, Mono<Map<String, Object>>>`, which is responsible for mapping attribute(s) from the `OAuth2AuthorizeRequest` to a `Map` of attributes to be associated to the `OAuth2AuthorizationContext`.
 This can be useful when you need to supply a `ReactiveOAuth2AuthorizedClientProvider` with required (supported) attribute(s), eg. the `PasswordReactiveOAuth2AuthorizedClientProvider` requires the resource owner's `username` and `password` to be available in `OAuth2AuthorizationContext.getAttributes()`.
 The following code shows an example of the `contextAttributesMapper`:
 ====
 .Java
 [source,java,role="primary"]
 ----
@Bean
 public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
 		ReactiveClientRegistrationRepository clientRegistrationRepository,
 		ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
 	ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
 			ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
 					.password()
 					.refreshToken()
 					.build();
 	DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
 			new DefaultReactiveOAuth2AuthorizedClientManager(
 					clientRegistrationRepository, authorizedClientRepository);
 	authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
 	// Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
 	// map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
 	authorizedClientManager.setContextAttributesMapper(contextAttributesMapper());
 	return authorizedClientManager;
 }
 private Function<OAuth2AuthorizeRequest, Mono<Map<String, Object>>> contextAttributesMapper() {
 	return authorizeRequest -> {
 		Map<String, Object> contextAttributes = Collections.emptyMap();
 		ServerWebExchange exchange = authorizeRequest.getAttribute(ServerWebExchange.class.getName());
 		ServerHttpRequest request = exchange.getRequest();
 		String username = request.getQueryParams().getFirst(OAuth2ParameterNames.USERNAME);
 		String password = request.getQueryParams().getFirst(OAuth2ParameterNames.PASSWORD);
 		if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
 			contextAttributes = new HashMap<>();
 			// `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
 			contextAttributes.put(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, username);
 			contextAttributes.put(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, password);
 		}
 		return Mono.just(contextAttributes);
 	};
 }
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
@Bean
 fun authorizedClientManager(
        clientRegistrationRepository: ReactiveClientRegistrationRepository,
        authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
    val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
            .password()
            .refreshToken()
            .build()
    val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
            clientRegistrationRepository, authorizedClientRepository)
    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
    // Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
    // map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
    authorizedClientManager.setContextAttributesMapper(contextAttributesMapper())
    return authorizedClientManager
 }
 private fun contextAttributesMapper(): Function<OAuth2AuthorizeRequest, Mono<MutableMap<String, Any>>> {
    return Function { authorizeRequest ->
        var contextAttributes: MutableMap<String, Any> = mutableMapOf()
        val exchange: ServerWebExchange = authorizeRequest.getAttribute(ServerWebExchange::class.java.name)!!
        val request: ServerHttpRequest = exchange.request
        val username: String? = request.queryParams.getFirst(OAuth2ParameterNames.USERNAME)
        val password: String? = request.queryParams.getFirst(OAuth2ParameterNames.PASSWORD)
        if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
            contextAttributes = hashMapOf()
            // `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
            contextAttributes[OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME] = username!!
            contextAttributes[OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME] = password!!
        }
        Mono.just(contextAttributes)
    }
 }
 ----
 ====
 The `DefaultReactiveOAuth2AuthorizedClientManager` is designed to be used *_within_* the context of a `ServerWebExchange`.
 When operating *_outside_* of a `ServerWebExchange` context, use `AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager` instead.
 A _service application_ is a common use case for when to use an `AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager`.
 Service applications often run in the background, without any user interaction, and typically run under a system-level account instead of a user account.
 An OAuth 2.0 Client configured with the `client_credentials` grant type can be considered a type of service application.
 The following code shows an example of how to configure an `AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager` that provides support for the `client_credentials` grant type:
 ====
 .Java
 [source,java,role="primary"]
 ----
@Bean
 public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
 		ReactiveClientRegistrationRepository clientRegistrationRepository,
 		ReactiveOAuth2AuthorizedClientService authorizedClientService) {
 	ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
 			ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
 					.clientCredentials()
 					.build();
 	AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager authorizedClientManager =
 			new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
 					clientRegistrationRepository, authorizedClientService);
 	authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
 	return authorizedClientManager;
 }
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
@Bean
 fun authorizedClientManager(
        clientRegistrationRepository: ReactiveClientRegistrationRepository,
        authorizedClientService: ReactiveOAuth2AuthorizedClientService): ReactiveOAuth2AuthorizedClientManager {
    val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
            .clientCredentials()
            .build()
    val authorizedClientManager = AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
            clientRegistrationRepository, authorizedClientService)
    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
    return authorizedClientManager
 }
 ----
 ====
--- a/docs/modules/ROOT/pages/reactive/oauth2/client/index.adoc
+++ b/docs/modules/ROOT/pages/reactive/oauth2/client/index.adoc
@ -0,0 +1,123 @@
 [[webflux-oauth2-client]]
 = OAuth 2.0 Client
 :page-section-summary-toc: 1
 The OAuth 2.0 Client features provide support for the Client role as defined in the https://tools.ietf.org/html/rfc6749#section-1.1[OAuth 2.0 Authorization Framework].
 At a high-level, the core features available are:
 .Authorization Grant support
 * https://tools.ietf.org/html/rfc6749#section-1.3.1[Authorization Code]
 * https://tools.ietf.org/html/rfc6749#section-6[Refresh Token]
 * https://tools.ietf.org/html/rfc6749#section-1.3.4[Client Credentials]
 * https://tools.ietf.org/html/rfc6749#section-1.3.3[Resource Owner Password Credentials]
 * https://datatracker.ietf.org/doc/html/rfc7523#section-2.1[JWT Bearer]
 .Client Authentication support
 * https://datatracker.ietf.org/doc/html/rfc7523#section-2.2[JWT Bearer]
 .HTTP Client support
 * <<oauth2Client-webclient-webflux, `WebClient` integration for Reactive Environments>> (for requesting protected resources)
 The `ServerHttpSecurity.oauth2Client()` DSL provides a number of configuration options for customizing the core components used by OAuth 2.0 Client.
 The following code shows the complete configuration options provided by the `ServerHttpSecurity.oauth2Client()` DSL:
 .OAuth2 Client Configuration Options
 ====
 .Java
 [source,java,role="primary"]
 ----
@EnableWebFluxSecurity
 public class OAuth2ClientSecurityConfig {
 	@Bean
 	public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
 		http
 			.oauth2Client(oauth2 -> oauth2
 				.clientRegistrationRepository(this.clientRegistrationRepository())
 				.authorizedClientRepository(this.authorizedClientRepository())
 				.authorizationRequestRepository(this.authorizationRequestRepository())
 				.authenticationConverter(this.authenticationConverter())
 				.authenticationManager(this.authenticationManager())
 			);
 		return http.build();
 	}
 }
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
@EnableWebFluxSecurity
 class OAuth2ClientSecurityConfig {
    @Bean
    fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
        http {
            oauth2Client {
                clientRegistrationRepository = clientRegistrationRepository()
                authorizedClientRepository = authorizedClientRepository()
                authorizationRequestRepository = authorizedRequestRepository()
                authenticationConverter = authenticationConverter()
                authenticationManager = authenticationManager()
            }
        }
        return http.build()
    }
 }
 ----
 ====
 The `ReactiveOAuth2AuthorizedClientManager` is responsible for managing the authorization (or re-authorization) of an OAuth 2.0 Client, in collaboration with one or more `ReactiveOAuth2AuthorizedClientProvider`(s).
 The following code shows an example of how to register a `ReactiveOAuth2AuthorizedClientManager` `@Bean` and associate it with a `ReactiveOAuth2AuthorizedClientProvider` composite that provides support for the `authorization_code`, `refresh_token`, `client_credentials` and `password` authorization grant types:
 ====
 .Java
 [source,java,role="primary"]
 ----
@Bean
 public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
 		ReactiveClientRegistrationRepository clientRegistrationRepository,
 		ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
 	ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
 			ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
 					.authorizationCode()
 					.refreshToken()
 					.clientCredentials()
 					.password()
 					.build();
 	DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
 			new DefaultReactiveOAuth2AuthorizedClientManager(
 					clientRegistrationRepository, authorizedClientRepository);
 	authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
 	return authorizedClientManager;
 }
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
@Bean
 fun authorizedClientManager(
        clientRegistrationRepository: ReactiveClientRegistrationRepository,
        authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
    val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
            .authorizationCode()
            .refreshToken()
            .clientCredentials()
            .password()
            .build()
    val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
            clientRegistrationRepository, authorizedClientRepository)
    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
    return authorizedClientManager
 }
 ----
 ====