Override behavior of OAuth2AuthorizationServerConfigurer configurer

[FNI18300]

Expected Behavior

The org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers package must contains configurer that must be more configurable.

For example (1) :
org.rudi.microservice.acl.facade.config.security.oauth2.configurer.OAuth2AuthorizationServerConfigurer classe contains a list of AbstractOAuth2Configurer
It's not possible to replace one of them by another accessing the org.rudi.microservice.acl.facade.config.security.oauth2.configurer.OAuth2AuthorizationServerConfigurer.configurers field list.

For example (2) : org.rudi.microservice.acl.facade.config.security.oauth2.configurer.OAuth2ClientAuthenticationConfigurer.createDefaultAuthenticationConverters() is private and is not possible to add AuthenticationConverter simply.

Current Behavior

The org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers package contains many final classes and many private methods and is not design to be override simply.

Context

To configure the org.rudi.microservice.acl.facade.config.security.oauth2.configurer.ClientSecretBasicAuthenticationConverter behavior we need to duplicate all classes present in org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers package

[jgrandja]

@FNI18300 It's not clear to me what you are trying to configure?

To configure the org.rudi.microservice.acl.facade.config.security.oauth2.configurer.ClientSecretBasicAuthenticationConverter behavior we need to duplicate all classes present in org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers package

The ClientSecretBasicAuthenticationConverter is in your own package. Are you trying to configure a custom converter? If so, have you read the reference documentation?

[FNI18300]

We want to change the behavior of ClientSecretBasicAuthenticationConverter so we want to remove this converter and provide our own one.
This converter is added by org.rudi.microservice.acl.facade.config.security.oauth2.configurer.OAuth2ClientAuthenticationConfigurer.createDefaultAuthenticationConverters()
and used into org.rudi.microservice.acl.facade.config.security.oauth2.configurer.OAuth2ClientAuthenticationConfigurer.configure(HttpSecurity)

We can't configure default list so it seems that we can only add converters and not override or remove them.

Addendum
It seems that for the current purpose, we could add our own ClientSecretBasicAuthenticationConverter in first place to override the default behavior.
But i think that it could be useful to add more control on default values.

[jgrandja]

@FNI18300

We can't configure default list so it seems that we can only add converters and not override or remove them.

The capability to completely override the default converters has been available for quite some time. As pointed out in my previous comment, the reference documentation states:

authenticationConverters(): Sets the Consumer providing access to the List of default and (optionally) added AuthenticationConverter's allowing the ability to add, remove, or customize a specific AuthenticationConverter.

Overriding the default converters would look like this:

authorizationServer
		.clientAuthentication((clientAuthentication) ->
				clientAuthentication
						.authenticationConverters(converters -> {
							converters.clear();
							converters.add(customAuthenticationConverter);
						})
		)

	)

I'm going to close this as this configuration option is available.

I'll label this as a question. FYI, questions are better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements.