Description
Expected Behavior
When an Authorization Server returns an access token with a custom attribute for scope, the value stored in the database column oauth2_authorized_client.access_token_scopes contains the scope(s) in the access token.
Current Behavior
When an Authorization Server returns an access token with a custom attribute for scope (e.g. "scp": "read_notifications.v1"), the value stored in the database column oauth2_authorized_client.access_token_scopes is null.
Context
The application I am developing has different scopes based on the features enabled. I need to be able to query oauth2_authorized_client on the access_token_scopes column to find a match so I use the proper access token. However that column is empty because the 3rd party Authorization Server returns an access token with the attribute "scp": for scopes.
The Spring ResourceServer DSL has jwtAuthenticationConverter(). Something similar would be ideal as it happens upstream from all Oauth2AuthorizedClient behavior.
The only alternative I have thought of to date is to modify the schema for oauth2_authorized_client to include a generated primary key and then create a separate table with the scopes with a link to the generated primary key. I would have to figure out how to call the logic to populate this table.
I considered GrantedAuthoritiesMapper but I "think" it is too late in the flow, i.e. the row has already been written by the time it would be called.
A workaround might be to subclass R2dbcReactiveOAuth2AuthorizedClientService with a custom OAuth2AuthorizedClientParametersMapper.