sjohnr
commented
3 weeks ago Thanks for the report @DaceKonn! I'm not sure I agree with classifying this as a bug, and instead feel this might make a good enhancement request. I don't find anywhere in the docs that we state the OAuth2 Client features support downstream propagation. Do you find anything like that?
Note that you will easily be able to configure a custom WebClient for any OAuth2 Client component in 6.3 (soon to be released) by following Customize the WebClient used by OAuth2 Client Components in the reference (this link currently points to RC1 docs). That section of the docs also includes a more verbose example that works prior to 6.3.
rishiraj88
DaceKonn
Describe the bug The current version of Reactive OAuth Security doesn't follow all Observability documentation recommendations, therefore it doesn't propagate trace and baggage's over network. See: Docs Spring.io - 8.4. Propagating Traces
Class example: oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AbstractWebClientReactiveOAuth2AccessTokenResponseClient.java
Where
WebClient.Builder()is used statically - therefore it has NOOPObservationRegistryand doesn't register Request Observations, and doesn't allow propagating traces (for example B3 Brave Zipkin Baggage's propagation).To Reproduce Creating Reactive OAuth client and trying to send traces and baggage's to authentication server.
Expected behavior OAuth calls from client to server in Reactive Security and Spring Boot 3 start proper request observations and propagate baggage's.