AbstractWebClientReactiveOAuth2AccessTokenResponseClient and access modifiers for methods

[skhrom]

Describe the bug
AbstractWebClientReactiveOAuth2AccessTokenResponseClient is abstract, but it is not final. I can extend it for my project (specific package), but AbstractWebClientReactiveOAuth2AccessTokenResponseClient has default access modifiers for methods "clientRegistration" and "scopes", so i get compilation error.

Expected behavior
I expect that i can extend this class in my project (package doesn't equal org.springframework.security.oauth2.client.endpoint) or not if it is final.

[jgrandja]

@skhrom Can you please provide more details on why you need protected access to clientRegistration() and scopes(). I'd like to understand your use case better.

FYI, we typically don't "open" things up unless there are no other options for customization or extension.

[skhrom]

Hello, @jgrandja

I need to use spring-security, oauth2, openid-connect for authorization-grant-type client_credentials. I use Webclient.
Our Authorization Server expects, that client to send additional parameters (resources and scope (https://datatracker.ietf.org/doc/html/rfc8707)).
I have set parameters in OAuth2AuthorizationContext#attributes (org.springframework.security.oauth2.client.OAuth2AuthorizationContext),
but the provider (ClientCredentialsReactiveOAuth2AuthorizedClientProvider#authorize) doesn't handle it
and AbstractWebClientReactiveOAuth2AccessTokenResponseClient(method getTokenResponse) too.
Therefore, i need to implement the provider and the client that will handle the parameters from OAuth2AuthorizationContext.

[jgrandja]

@skhrom Adding custom parameters in the token request is possible via WebClientReactiveClientCredentialsTokenResponseClient.setParametersConverter() or WebClientReactiveClientCredentialsTokenResponseClient.addParametersConverter().

NOTE: This was added in 5.6

Please see Customizing the Access Token Request for further details.

I'm going to close this since customizations hooks are already available.