oauth2Login() generates authorization links for "client_credentials" grant type #9457
Description
Describe the bug
In Spring Security WebFlux, OAuth2LoginSpec#getLinks populates the returned map with authorization links for all registered client registrations, even for those using the "client_credentials" grant type meant for server-to-server authentication. This has the following consequences:
This means that if you have two client registration A with grant type authorization_code and another registration B with client_credentials, the authorization entry point created by Spring Security WebFlux redirects to the default login page (/login) rather than directly to the authorization flow of A (/oauth2/authorization/A). Even worse, that login page will show an authorization link for registration B even though it is not possible for a user to log in through the client_credentials OAuth2 flow. In fact, following this link yields a 500 error as DefaultServerOAuth2AuthorizationRequestResolver (sensibly) does not support client_credentials.
To Reproduce
- Create a Spring Boot application with WebFlux and Spring Security
- Define two client registrations within
spring.security.oauth2.client.registrationinapplication.yml:awithauthorization-grant-type: authorization_codebwithauthorization-grant-type: client_credentials
- Configure a
ServerHttpSecuritybean protecting some path withoauth2Login() - Start the application
- Navigate to the protected path
Expected behavior
I get redirected to /oauth2/authorization/a and then to the OAuth2 provider's login page.