ServletOAuth2AuthorizedClientExchangeFilterFunction doesn't obtain a token if no servlet request

[petergphillips]

Describe the bug
After the upgrade to Spring Security 7.1.0 our web clients no longer attempt to retrieve an oauth2 token when used in batch jobs and when fired from event listeners.

If there is a servlet request (so triggered from an incoming request) then the web clients will retrieve an oauth2 token as expected.

To Reproduce
Create a web client with a ServletOAuth2AuthorizedClientExchangeFilterFunction that is created from a AuthorizedClientServiceOAuth2AuthorizedClientManager. This manager (according to the docs) should be capable of operating in a scheduled / background thread. So:

new ServletOAuth2AuthorizedClientExchangeFilterFunction(
		new AuthorizedClientServiceOAuth2AuthorizedClientManager(this.clientRegistrationRepository,
				new InMemoryOAuth2AuthorizedClientService(this.clientRegistrationRepository)
		)
);

Call the web client without any request / response attributes in thread local scope.

Expected behavior
A token is retrieved from the oauth2 provider for the web client request.

Actual behavior
No token is retrieved at all. Looking at the recent changes to the ServletOAuth2AuthorizedClientExchangeFilterFunction there was a null check that was added in baad23c:

		if (servletRequest == null || servletResponse == null) {
			return Mono.empty();
		}

Our service then reaches that code and then returns, so no token is then retrieved. The web client then fails as no authentication header is set in the call.

[mike-thecodebuilders]

I'm facing the same problem after upgrading to the latest Spring (Boot) version.

In case you're interested, as a workaround I'm now applying the following ExchangeFilterFunction on the WebClient.Builder. For now this seems to "resolve" the issue:

package ***;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.apache.catalina.connector.RequestFacade;
import org.apache.catalina.connector.ResponseFacade;
import org.springframework.web.reactive.function.client.ClientRequest;
import org.springframework.web.reactive.function.client.ClientResponse;
import org.springframework.web.reactive.function.client.ExchangeFilterFunction;
import org.springframework.web.reactive.function.client.ExchangeFunction;
import reactor.core.publisher.Mono;

public class TempOutsideServletWorkaroundFilterFunction implements ExchangeFilterFunction {

    @Override
    public Mono<ClientResponse> filter(ClientRequest request, ExchangeFunction next) {
        ClientRequest updated = ClientRequest.from(request)
                .attribute(HttpServletRequest.class.getName(), new RequestFacade(null))
                .attribute(HttpServletResponse.class.getName(), new ResponseFacade(null))
                .build();
        return next.exchange(updated);
    }

}

[amuttsch]

We faced the same issue. I think using the ServletOAuth2AuthorizedClientExchangeFilterFunction is actually wrong when using the WebClient outside of a http request, where no servlet context is available - i.e. background tasks or schedules. We have moved to the ServerOAuth2AuthorizedClientExchangeFilterFunction (Note the ServletOAuth... vs. ServerOAuth... class) instead, which worked without workarounds. But you have to use the reactive dependency variants for it.

The ServletOAuth2AuthorizedClientExchangeFilterFunction class also states this in the JavaDoc:

NOTE:This class is intended to be used in a Servlet environment.