From 526e0fdd4fde023a7fa77dff70f4424e10b7dcba Mon Sep 17 00:00:00 2001
From: Joe Grandja <jgrandja@pivotal.io>
Date: Thu, 8 Mar 2018 06:09:50 -0500
Subject: [PATCH] Add OAuth2 Client HandlerMethodArgumentResolver

Fixes gh-4651
---
 .../web/configuration/EnableWebSecurity.java  |   7 +-
 .../OAuth2ClientConfiguration.java            |  76 +++++
 .../configuration/OAuth2ImportSelector.java   |  41 +++
 .../oauth2/client/OAuth2ClientConfigurer.java |   5 +
 .../oauth2/client/OAuth2LoginConfigurer.java  |   5 +
 .../OAuth2ClientConfigurationTests.java       | 136 +++++++++
 .../client/OAuth2ClientConfigurerTests.java   |  50 +++-
 .../_includes/preface/java-configuration.adoc |   4 +-
 .../client/annotation/OAuth2Client.java       |  85 ++++++
 ...th2AuthorizationRequestRedirectFilter.java |  24 +-
 .../OAuth2ClientArgumentResolver.java         | 144 ++++++++++
 ...thorizationRequestRedirectFilterTests.java |  30 +-
 .../OAuth2ClientArgumentResolverTests.java    | 260 ++++++++++++++++++
 ...roller.java => GitHubReposController.java} |  20 +-
 .../samples/OAuth2LoginApplicationTests.java  |   4 +-
 ...roller.java => OAuth2LoginController.java} |  30 +-
 16 files changed, 850 insertions(+), 71 deletions(-)
 create mode 100644 config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java
 create mode 100644 config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ImportSelector.java
 create mode 100644 config/src/test/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfigurationTests.java
 create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/annotation/OAuth2Client.java
 create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/method/annotation/OAuth2ClientArgumentResolver.java
 create mode 100644 oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/method/annotation/OAuth2ClientArgumentResolverTests.java
 rename samples/boot/oauth2/authcodegrant/src/main/java/sample/web/{MainController.java => GitHubReposController.java} (73%)
 rename samples/boot/oauth2login/src/main/java/sample/web/{MainController.java => OAuth2LoginController.java} (66%)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java
index 1b5067c576..940d685eaf 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -73,7 +73,8 @@ import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
 @Target(value = { java.lang.annotation.ElementType.TYPE })
 @Documented
 @Import({ WebSecurityConfiguration.class,
-		SpringWebMvcImportSelector.class })
+		SpringWebMvcImportSelector.class,
+		OAuth2ImportSelector.class })
 @EnableGlobalAuthentication
 @Configuration
 public @interface EnableWebSecurity {
@@ -83,4 +84,4 @@ public @interface EnableWebSecurity {
 	 * @return if true, enables debug support with Spring Security
 	 */
 	boolean debug() default false;
-}
\ No newline at end of file
+}
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java
new file mode 100644
index 0000000000..e0ff29b599
--- /dev/null
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.annotation.web.configuration;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.context.annotation.ImportSelector;
+import org.springframework.core.type.AnnotationMetadata;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.web.method.annotation.OAuth2ClientArgumentResolver;
+import org.springframework.util.ClassUtils;
+import org.springframework.web.method.support.HandlerMethodArgumentResolver;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+import java.util.List;
+
+/**
+ * {@link Configuration} for OAuth 2.0 Client support.
+ *
+ * <p>
+ * This {@code Configuration} is conditionally imported by {@link OAuth2ImportSelector}
+ * when the {@code spring-security-oauth2-client} module is present on the classpath.
+ *
+ * @author Joe Grandja
+ * @since 5.1
+ * @see OAuth2ImportSelector
+ */
+@Import(OAuth2ClientConfiguration.OAuth2ClientWebMvcImportSelector.class)
+final class OAuth2ClientConfiguration {
+
+	static class OAuth2ClientWebMvcImportSelector implements ImportSelector {
+
+		@Override
+		public String[] selectImports(AnnotationMetadata importingClassMetadata) {
+			boolean webmvcPresent = ClassUtils.isPresent(
+				"org.springframework.web.servlet.DispatcherServlet", getClass().getClassLoader());
+
+			return webmvcPresent ?
+				new String[] { "org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration.OAuth2ClientWebMvcSecurityConfiguration" } :
+				new String[] {};
+		}
+	}
+
+	@Configuration
+	static class OAuth2ClientWebMvcSecurityConfiguration implements WebMvcConfigurer {
+		@Autowired(required = false)
+		private ClientRegistrationRepository clientRegistrationRepository;
+
+		@Autowired(required = false)
+		private OAuth2AuthorizedClientService authorizedClientService;
+
+		@Override
+		public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentResolvers) {
+			if (this.clientRegistrationRepository != null && this.authorizedClientService != null) {
+				OAuth2ClientArgumentResolver oauth2ClientArgumentResolver = new OAuth2ClientArgumentResolver(
+					this.clientRegistrationRepository, this.authorizedClientService);
+				argumentResolvers.add(oauth2ClientArgumentResolver);
+			}
+		}
+	}
+}
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ImportSelector.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ImportSelector.java
new file mode 100644
index 0000000000..93ed25eca7
--- /dev/null
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ImportSelector.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.annotation.web.configuration;
+
+import org.springframework.context.annotation.ImportSelector;
+import org.springframework.core.type.AnnotationMetadata;
+import org.springframework.util.ClassUtils;
+
+/**
+ * Used by {@link EnableWebSecurity} to conditionally import {@link OAuth2ClientConfiguration}
+ * when the {@code spring-security-oauth2-client} module is present on the classpath.
+
+ * @author Joe Grandja
+ * @since 5.1
+ * @see OAuth2ClientConfiguration
+ */
+final class OAuth2ImportSelector implements ImportSelector {
+
+	@Override
+	public String[] selectImports(AnnotationMetadata importingClassMetadata) {
+		boolean oauth2ClientPresent = ClassUtils.isPresent(
+			"org.springframework.security.oauth2.client.registration.ClientRegistration", getClass().getClassLoader());
+
+		return oauth2ClientPresent ?
+			new String[] { "org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration" } :
+			new String[] {};
+	}
+}
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java
index 79ab1adc27..e7e6b47a80 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java
@@ -28,6 +28,7 @@ import org.springframework.security.oauth2.client.web.AuthorizationRequestReposi
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
+import org.springframework.security.web.savedrequest.RequestCache;
 import org.springframework.util.Assert;
 
 /**
@@ -277,6 +278,10 @@ public final class OAuth2ClientConfigurer<B extends HttpSecurityBuilder<B>> exte
 			authorizationRequestFilter.setAuthorizationRequestRepository(
 				authorizationCodeGrantConfigurer.authorizationEndpointConfig.authorizationRequestRepository);
 		}
+		RequestCache requestCache = builder.getSharedObject(RequestCache.class);
+		if (requestCache != null) {
+			authorizationRequestFilter.setRequestCache(requestCache);
+		}
 		builder.addFilter(this.postProcess(authorizationRequestFilter));
 
 		AuthenticationManager authenticationManager = builder.getSharedObject(AuthenticationManager.class);
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
index 7b924691f8..972afc1443 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
@@ -52,6 +52,7 @@ import org.springframework.security.oauth2.core.oidc.OidcScopes;
 import org.springframework.security.oauth2.core.oidc.user.OidcUser;
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
+import org.springframework.security.web.savedrequest.RequestCache;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
@@ -447,6 +448,10 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
 			authorizationRequestFilter.setAuthorizationRequestRepository(
 				this.authorizationEndpointConfig.authorizationRequestRepository);
 		}
+		RequestCache requestCache = http.getSharedObject(RequestCache.class);
+		if (requestCache != null) {
+			authorizationRequestFilter.setRequestCache(requestCache);
+		}
 		http.addFilter(this.postProcess(authorizationRequestFilter));
 
 		OAuth2LoginAuthenticationFilter authenticationFilter = this.getAuthenticationFilter();
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfigurationTests.java
new file mode 100644
index 0000000000..c4eb67cd15
--- /dev/null
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfigurationTests.java
@@ -0,0 +1,136 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.annotation.web.configuration;
+
+import org.junit.Rule;
+import org.junit.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.test.SpringTestRule;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
+import org.springframework.security.oauth2.client.annotation.OAuth2Client;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+/**
+ * Tests for {@link OAuth2ClientConfiguration}.
+ *
+ * @author Joe Grandja
+ */
+public class OAuth2ClientConfigurationTests {
+	@Rule
+	public final SpringTestRule spring = new SpringTestRule();
+
+	@Autowired
+	private MockMvc mockMvc;
+
+	@Test
+	public void requestWhenAuthorizedClientFoundThenOAuth2ClientArgumentsResolved() throws Exception {
+		String clientRegistrationId = "client1";
+		String principalName = "user1";
+
+		ClientRegistrationRepository clientRegistrationRepository = mock(ClientRegistrationRepository.class);
+		ClientRegistration clientRegistration = ClientRegistration.withRegistrationId(clientRegistrationId)
+				.clientId("client-id")
+				.clientSecret("secret")
+				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+				.redirectUriTemplate("{baseUrl}/client1")
+				.scope("scope1", "scope2")
+				.authorizationUri("https://provider.com/oauth2/auth")
+				.tokenUri("https://provider.com/oauth2/token")
+				.clientName("Client 1")
+				.build();
+		when(clientRegistrationRepository.findByRegistrationId(clientRegistrationId)).thenReturn(clientRegistration);
+
+		OAuth2AuthorizedClientService authorizedClientService = mock(OAuth2AuthorizedClientService.class);
+		OAuth2AuthorizedClient authorizedClient = mock(OAuth2AuthorizedClient.class);
+		when(authorizedClientService.loadAuthorizedClient(clientRegistrationId, principalName)).thenReturn(authorizedClient);
+
+		OAuth2AccessToken accessToken = mock(OAuth2AccessToken.class);
+		when(authorizedClient.getAccessToken()).thenReturn(accessToken);
+
+		OAuth2ClientArgumentResolverConfig.CLIENT_REGISTRATION_REPOSITORY = clientRegistrationRepository;
+		OAuth2ClientArgumentResolverConfig.AUTHORIZED_CLIENT_SERVICE = authorizedClientService;
+		this.spring.register(OAuth2ClientArgumentResolverConfig.class).autowire();
+
+		this.mockMvc.perform(get("/access-token").with(user(principalName)))
+			.andExpect(status().isOk())
+			.andExpect(content().string("resolved"));
+		this.mockMvc.perform(get("/authorized-client").with(user(principalName)))
+			.andExpect(status().isOk())
+			.andExpect(content().string("resolved"));
+		this.mockMvc.perform(get("/client-registration").with(user(principalName)))
+			.andExpect(status().isOk())
+			.andExpect(content().string("resolved"));
+	}
+
+	@EnableWebMvc
+	@EnableWebSecurity
+	static class OAuth2ClientArgumentResolverConfig extends WebSecurityConfigurerAdapter {
+		static ClientRegistrationRepository CLIENT_REGISTRATION_REPOSITORY;
+		static OAuth2AuthorizedClientService AUTHORIZED_CLIENT_SERVICE;
+
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+		}
+
+		@RestController
+		public class Controller {
+
+			@GetMapping("/access-token")
+			public String accessToken(@OAuth2Client("client1") OAuth2AccessToken accessToken) {
+				return accessToken != null ? "resolved" : "not-resolved";
+			}
+
+			@GetMapping("/authorized-client")
+			public String authorizedClient(@OAuth2Client("client1") OAuth2AuthorizedClient authorizedClient) {
+				return authorizedClient != null ? "resolved" : "not-resolved";
+			}
+
+			@GetMapping("/client-registration")
+			public String clientRegistration(@OAuth2Client("client1") ClientRegistration clientRegistration) {
+				return clientRegistration != null ? "resolved" : "not-resolved";
+			}
+		}
+
+		@Bean
+		public ClientRegistrationRepository clientRegistrationRepository() {
+			return CLIENT_REGISTRATION_REPOSITORY;
+		}
+
+		@Bean
+		public OAuth2AuthorizedClientService authorizedClientService() {
+			return AUTHORIZED_CLIENT_SERVICE;
+		}
+	}
+}
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java
index fd015321a7..08917c1bad 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java
@@ -19,6 +19,7 @@ import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.mock.web.MockHttpSession;
@@ -29,6 +30,7 @@ import org.springframework.security.config.test.SpringTestRule;
 import org.springframework.security.oauth2.client.InMemoryOAuth2AuthorizedClientService;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
+import org.springframework.security.oauth2.client.annotation.OAuth2Client;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
@@ -42,16 +44,21 @@ import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.web.savedrequest.RequestCache;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import java.util.HashMap;
 import java.util.Map;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
+import static org.mockito.Mockito.*;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
@@ -69,6 +76,8 @@ public class OAuth2ClientConfigurerTests {
 
 	private static OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient;
 
+	private static RequestCache requestCache;
+
 	@Rule
 	public final SpringTestRule spring = new SpringTestRule();
 
@@ -101,6 +110,7 @@ public class OAuth2ClientConfigurerTests {
 				.build();
 		accessTokenResponseClient = mock(OAuth2AccessTokenResponseClient.class);
 		when(accessTokenResponseClient.getTokenResponse(any(OAuth2AuthorizationCodeGrantRequest.class))).thenReturn(accessTokenResponse);
+		requestCache = mock(RequestCache.class);
 	}
 
 	@Test
@@ -151,7 +161,20 @@ public class OAuth2ClientConfigurerTests {
 		assertThat(authorizedClient).isNotNull();
 	}
 
+	@Test
+	public void configureWhenRequestCacheProvidedAndClientAuthorizationRequiredExceptionThrownThenRequestCacheUsed() throws Exception {
+		this.spring.register(OAuth2ClientConfig.class).autowire();
+
+		MvcResult mvcResult = this.mockMvc.perform(get("/resource1").with(user("user1")))
+				.andExpect(status().is3xxRedirection())
+				.andReturn();
+		assertThat(mvcResult.getResponse().getRedirectedUrl()).matches("https://provider.com/oauth2/authorize\\?response_type=code&client_id=client-1&scope=user&state=.{15,}&redirect_uri=http://localhost/client-1");
+
+		verify(requestCache).saveRequest(any(HttpServletRequest.class), any(HttpServletResponse.class));
+	}
+
 	@EnableWebSecurity
+	@EnableWebMvc
 	static class OAuth2ClientConfig extends WebSecurityConfigurerAdapter {
 		@Override
 		protected void configure(HttpSecurity http) throws Exception {
@@ -159,13 +182,32 @@ public class OAuth2ClientConfigurerTests {
 				.authorizeRequests()
 					.anyRequest().authenticated()
 					.and()
+				.requestCache()
+					.requestCache(requestCache)
+					.and()
 				.oauth2()
 					.client()
-						.clientRegistrationRepository(clientRegistrationRepository)
-						.authorizedClientService(authorizedClientService)
 						.authorizationCodeGrant()
 							.tokenEndpoint()
 								.accessTokenResponseClient(accessTokenResponseClient);
 		}
+
+		@Bean
+		public ClientRegistrationRepository clientRegistrationRepository() {
+			return clientRegistrationRepository;
+		}
+
+		@Bean
+		public OAuth2AuthorizedClientService authorizedClientService() {
+			return authorizedClientService;
+		}
+
+		@RestController
+		public class ResourceController {
+			@GetMapping("/resource1")
+			public String resource1(@OAuth2Client("registration-1") OAuth2AuthorizedClient authorizedClient) {
+				return "resource1";
+			}
+		}
 	}
 }
diff --git a/docs/manual/src/docs/asciidoc/_includes/preface/java-configuration.adoc b/docs/manual/src/docs/asciidoc/_includes/preface/java-configuration.adoc
index 2d786baebd..148a59d209 100644
--- a/docs/manual/src/docs/asciidoc/_includes/preface/java-configuration.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/preface/java-configuration.adoc
@@ -673,7 +673,7 @@ The following listing shows an example:
 [source,java]
 ----
 @Controller
-public class MainController {
+public class OAuth2LoginController {
 
 	@Autowired
 	private ClientRegistrationRepository clientRegistrationRepository;
@@ -953,7 +953,7 @@ The following listing shows an example:
 [source,java]
 ----
 @Controller
-public class MainController {
+public class OAuth2LoginController {
 
 	@Autowired
 	private OAuth2AuthorizedClientService authorizedClientService;
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/annotation/OAuth2Client.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/annotation/OAuth2Client.java
new file mode 100644
index 0000000000..c8bd1c7af6
--- /dev/null
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/annotation/OAuth2Client.java
@@ -0,0 +1,85 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.client.annotation;
+
+import org.springframework.core.annotation.AliasFor;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.web.method.annotation.OAuth2ClientArgumentResolver;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * This annotation may be used to resolve a method parameter into an argument value
+ * for the following types: {@link ClientRegistration}, {@link OAuth2AuthorizedClient}
+ * and {@link OAuth2AccessToken}.
+ *
+ * <p>
+ * For example:
+ * <pre>
+ * &#64;Controller
+ * public class MyController {
+ *     &#64;GetMapping("/client-registration")
+ *     public String clientRegistration(@OAuth2Client("login-client") ClientRegistration clientRegistration) {
+ *         // do something with clientRegistration
+ *     }
+ *
+ *     &#64;GetMapping("/authorized-client")
+ *     public String authorizedClient(@OAuth2Client("login-client") OAuth2AuthorizedClient authorizedClient) {
+ *         // do something with authorizedClient
+ *     }
+ *
+ *     &#64;GetMapping("/access-token")
+ *     public String accessToken(@OAuth2Client("login-client") OAuth2AccessToken accessToken) {
+ *         // do something with accessToken
+ *     }
+ * }
+ * </pre>
+ *
+ * @author Joe Grandja
+ * @since 5.1
+ * @see OAuth2ClientArgumentResolver
+ */
+@Target({ ElementType.PARAMETER, ElementType.ANNOTATION_TYPE })
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface OAuth2Client {
+
+	/**
+	 * Sets the client registration identifier.
+	 *
+	 * @return the client registration identifier
+	 */
+	@AliasFor("value")
+	String registrationId() default "";
+
+	/**
+	 * The default attribute for this annotation.
+	 * This is an alias for {@link #registrationId()}.
+	 * For example, {@code @OAuth2Client("login-client")} is equivalent to
+	 * {@code @OAuth2Client(registrationId="login-client")}.
+	 *
+	 * @return the client registration identifier
+	 */
+	@AliasFor("registrationId")
+	String value() default "";
+
+}
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java
index 89785c76d6..78ba725505 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java
@@ -93,8 +93,8 @@ public class OAuth2AuthorizationRequestRedirectFilter extends OncePerRequestFilt
 	private final StringKeyGenerator stateGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder());
 	private AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository =
 		new HttpSessionOAuth2AuthorizationRequestRepository();
+	private RequestCache requestCache = new HttpSessionRequestCache();
 	private final ThrowableAnalyzer throwableAnalyzer = new DefaultThrowableAnalyzer();
-	private final RequestCache requestCache = new HttpSessionRequestCache();
 
 	/**
 	 * Constructs an {@code OAuth2AuthorizationRequestRedirectFilter} using the provided parameters.
@@ -131,6 +131,17 @@ public class OAuth2AuthorizationRequestRedirectFilter extends OncePerRequestFilt
 		this.authorizationRequestRepository = authorizationRequestRepository;
 	}
 
+	/**
+	 * Sets the {@link RequestCache} used for storing the current request
+	 * before redirecting the OAuth 2.0 Authorization Request.
+	 *
+	 * @param requestCache the cache used for storing the current request
+	 */
+	public final void setRequestCache(RequestCache requestCache) {
+		Assert.notNull(requestCache, "requestCache cannot be null");
+		this.requestCache = requestCache;
+	}
+
 	@Override
 	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
 			throws ServletException, IOException {
@@ -212,8 +223,9 @@ public class OAuth2AuthorizationRequestRedirectFilter extends OncePerRequestFilt
 		} else if (AuthorizationGrantType.IMPLICIT.equals(clientRegistration.getAuthorizationGrantType())) {
 			builder = OAuth2AuthorizationRequest.implicit();
 		} else {
-			throw new IllegalArgumentException("Invalid Authorization Grant Type for Client Registration (" +
-				clientRegistration.getRegistrationId() + "): " + clientRegistration.getAuthorizationGrantType());
+			throw new IllegalArgumentException("Invalid Authorization Grant Type ("  +
+					clientRegistration.getAuthorizationGrantType().getValue() +
+					") for Client Registration with Id: " + clientRegistration.getRegistrationId());
 		}
 		OAuth2AuthorizationRequest authorizationRequest = builder
 				.clientId(clientRegistration.getClientId())
@@ -235,10 +247,10 @@ public class OAuth2AuthorizationRequestRedirectFilter extends OncePerRequestFilt
 	private void unsuccessfulRedirectForAuthorization(HttpServletRequest request, HttpServletResponse response,
 														Exception failed) throws IOException, ServletException {
 
-		if (logger.isDebugEnabled()) {
-			logger.debug("Authorization Request failed: " + failed.toString(), failed);
+		if (logger.isErrorEnabled()) {
+			logger.error("Authorization Request failed: " + failed.toString(), failed);
 		}
-		response.sendError(HttpStatus.BAD_REQUEST.value(), HttpStatus.BAD_REQUEST.getReasonPhrase());
+		response.sendError(HttpStatus.INTERNAL_SERVER_ERROR.value(), HttpStatus.INTERNAL_SERVER_ERROR.getReasonPhrase());
 	}
 
 	private String expandRedirectUri(HttpServletRequest request, ClientRegistration clientRegistration) {
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/method/annotation/OAuth2ClientArgumentResolver.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/method/annotation/OAuth2ClientArgumentResolver.java
new file mode 100644
index 0000000000..1c0b99d95a
--- /dev/null
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/method/annotation/OAuth2ClientArgumentResolver.java
@@ -0,0 +1,144 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.client.web.method.annotation;
+
+import org.springframework.core.MethodParameter;
+import org.springframework.lang.NonNull;
+import org.springframework.lang.Nullable;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.client.ClientAuthorizationRequiredException;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
+import org.springframework.security.oauth2.client.annotation.OAuth2Client;
+import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
+import org.springframework.web.bind.support.WebDataBinderFactory;
+import org.springframework.web.context.request.NativeWebRequest;
+import org.springframework.web.method.support.HandlerMethodArgumentResolver;
+import org.springframework.web.method.support.ModelAndViewContainer;
+
+/**
+ * An implementation of a {@link HandlerMethodArgumentResolver} that is capable
+ * of resolving a method parameter into an argument value for the following types:
+ * {@link ClientRegistration}, {@link OAuth2AuthorizedClient} and {@link OAuth2AccessToken}.
+ *
+ * <p>
+ * For example:
+ * <pre>
+ * &#64;Controller
+ * public class MyController {
+ *     &#64;GetMapping("/client-registration")
+ *     public String clientRegistration(@OAuth2Client("login-client") ClientRegistration clientRegistration) {
+ *         // do something with clientRegistration
+ *     }
+ *
+ *     &#64;GetMapping("/authorized-client")
+ *     public String authorizedClient(@OAuth2Client("login-client") OAuth2AuthorizedClient authorizedClient) {
+ *         // do something with authorizedClient
+ *     }
+ *
+ *     &#64;GetMapping("/access-token")
+ *     public String accessToken(@OAuth2Client("login-client") OAuth2AccessToken accessToken) {
+ *         // do something with accessToken
+ *     }
+ * }
+ * </pre>
+ *
+ * @author Joe Grandja
+ * @since 5.1
+ * @see OAuth2Client
+ */
+public final class OAuth2ClientArgumentResolver implements HandlerMethodArgumentResolver {
+	private final ClientRegistrationRepository clientRegistrationRepository;
+	private final OAuth2AuthorizedClientService authorizedClientService;
+
+	/**
+	 * Constructs an {@code OAuth2ClientArgumentResolver} using the provided parameters.
+	 *
+	 * @param clientRegistrationRepository the repository of client registrations
+	 * @param authorizedClientService the authorized client service
+	 */
+	public OAuth2ClientArgumentResolver(ClientRegistrationRepository clientRegistrationRepository,
+										OAuth2AuthorizedClientService authorizedClientService) {
+		Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null");
+		Assert.notNull(authorizedClientService, "authorizedClientService cannot be null");
+		this.clientRegistrationRepository = clientRegistrationRepository;
+		this.authorizedClientService = authorizedClientService;
+	}
+
+	@Override
+	public boolean supportsParameter(MethodParameter parameter) {
+		Class<?> parameterType = parameter.getParameterType();
+		return ((OAuth2AccessToken.class.isAssignableFrom(parameterType) ||
+				OAuth2AuthorizedClient.class.isAssignableFrom(parameterType) ||
+				ClientRegistration.class.isAssignableFrom(parameterType)) &&
+				(parameter.hasParameterAnnotation(OAuth2Client.class)));
+	}
+
+	@NonNull
+	@Override
+	public Object resolveArgument(MethodParameter parameter,
+									@Nullable ModelAndViewContainer mavContainer,
+									NativeWebRequest webRequest,
+									@Nullable WebDataBinderFactory binderFactory) throws Exception {
+
+		OAuth2Client oauth2ClientAnnotation = parameter.getParameterAnnotation(OAuth2Client.class);
+		Authentication principal = SecurityContextHolder.getContext().getAuthentication();
+
+		String clientRegistrationId = null;
+		if (!StringUtils.isEmpty(oauth2ClientAnnotation.registrationId())) {
+			clientRegistrationId = oauth2ClientAnnotation.registrationId();
+		} else if (!StringUtils.isEmpty(oauth2ClientAnnotation.value())) {
+			clientRegistrationId = oauth2ClientAnnotation.value();
+		} else if (principal != null && OAuth2AuthenticationToken.class.isAssignableFrom(principal.getClass())) {
+			clientRegistrationId = ((OAuth2AuthenticationToken) principal).getAuthorizedClientRegistrationId();
+		}
+		if (StringUtils.isEmpty(clientRegistrationId)) {
+			throw new IllegalArgumentException("Unable to resolve the Client Registration Identifier. " +
+					"It must be provided via @OAuth2Client(\"client1\") or @OAuth2Client(registrationId = \"client1\").");
+		}
+
+		if (ClientRegistration.class.isAssignableFrom(parameter.getParameterType())) {
+			ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId(clientRegistrationId);
+			if (clientRegistration == null) {
+				throw new IllegalArgumentException("Unable to find ClientRegistration with registration identifier \"" +
+						clientRegistrationId + "\".");
+			}
+			return clientRegistration;
+		}
+
+		if (principal == null) {
+			// An Authentication is required given that an OAuth2AuthorizedClient is associated to a Principal
+			throw new IllegalStateException("Unable to resolve the Authorized Client with registration identifier \"" +
+					clientRegistrationId + "\". An \"authenticated\" or \"unauthenticated\" session is required. " +
+					"To allow for unauthenticated access, ensure HttpSecurity.anonymous() is configured.");
+		}
+
+		OAuth2AuthorizedClient authorizedClient = this.authorizedClientService.loadAuthorizedClient(
+			clientRegistrationId, principal.getName());
+		if (authorizedClient == null) {
+			throw new ClientAuthorizationRequiredException(clientRegistrationId);
+		}
+
+		return OAuth2AccessToken.class.isAssignableFrom(parameter.getParameterType()) ?
+			authorizedClient.getAccessToken() : authorizedClient;
+	}
+}
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java
index cf9fdf95fa..3412c852d1 100644
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java
@@ -28,15 +28,13 @@ import org.springframework.security.oauth2.client.registration.InMemoryClientReg
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
-import org.springframework.security.web.savedrequest.SavedRequest;
+import org.springframework.security.web.savedrequest.RequestCache;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
-import java.util.Collections;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
@@ -53,6 +51,7 @@ public class OAuth2AuthorizationRequestRedirectFilterTests {
 	private ClientRegistration registration3;
 	private ClientRegistrationRepository clientRegistrationRepository;
 	private OAuth2AuthorizationRequestRedirectFilter filter;
+	private RequestCache requestCache;
 
 	@Before
 	public void setUp() {
@@ -95,6 +94,8 @@ public class OAuth2AuthorizationRequestRedirectFilterTests {
 		this.clientRegistrationRepository = new InMemoryClientRegistrationRepository(
 			this.registration1, this.registration2, this.registration3);
 		this.filter = new OAuth2AuthorizationRequestRedirectFilter(this.clientRegistrationRepository);
+		this.requestCache = mock(RequestCache.class);
+		this.filter.setRequestCache(this.requestCache);
 	}
 
 	@Test
@@ -115,6 +116,12 @@ public class OAuth2AuthorizationRequestRedirectFilterTests {
 				.isInstanceOf(IllegalArgumentException.class);
 	}
 
+	@Test
+	public void setRequestCacheWhenRequestCacheIsNullThenThrowIllegalArgumentException() {
+		assertThatThrownBy(() -> this.filter.setRequestCache(null))
+				.isInstanceOf(IllegalArgumentException.class);
+	}
+
 	@Test
 	public void doFilterWhenNotAuthorizationRequestThenNextFilter() throws Exception {
 		String requestUri = "/path";
@@ -129,7 +136,7 @@ public class OAuth2AuthorizationRequestRedirectFilterTests {
 	}
 
 	@Test
-	public void doFilterWhenAuthorizationRequestWithInvalidClientThenStatusBadRequest() throws Exception {
+	public void doFilterWhenAuthorizationRequestWithInvalidClientThenStatusInternalServerError() throws Exception {
 		String requestUri = OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI +
 			"/" + this.registration1.getRegistrationId() + "-invalid";
 		MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
@@ -141,8 +148,8 @@ public class OAuth2AuthorizationRequestRedirectFilterTests {
 
 		verifyZeroInteractions(filterChain);
 
-		assertThat(response.getStatus()).isEqualTo(HttpStatus.BAD_REQUEST.value());
-		assertThat(response.getErrorMessage()).isEqualTo(HttpStatus.BAD_REQUEST.getReasonPhrase());
+		assertThat(response.getStatus()).isEqualTo(HttpStatus.INTERNAL_SERVER_ERROR.value());
+		assertThat(response.getErrorMessage()).isEqualTo(HttpStatus.INTERNAL_SERVER_ERROR.getReasonPhrase());
 	}
 
 	@Test
@@ -320,16 +327,7 @@ public class OAuth2AuthorizationRequestRedirectFilterTests {
 
 		assertThat(response.getRedirectedUrl()).matches("https://provider.com/oauth2/authorize\\?response_type=code&client_id=client-1&scope=user&state=.{15,}&redirect_uri=http://localhost/authorize/oauth2/code/registration-1");
 
-		HttpSession session = request.getSession(false);
-		assertThat(session).isNotNull();
-		boolean requestSaved = false;
-		for (String attrName : Collections.list(session.getAttributeNames())) {
-			if (SavedRequest.class.isAssignableFrom(session.getAttribute(attrName).getClass())) {
-				requestSaved = true;
-				break;
-			}
-		}
-		assertThat(requestSaved).isTrue();
+		verify(this.requestCache).saveRequest(any(HttpServletRequest.class), any(HttpServletResponse.class));
 	}
 
 	@Test
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/method/annotation/OAuth2ClientArgumentResolverTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/method/annotation/OAuth2ClientArgumentResolverTests.java
new file mode 100644
index 0000000000..5ad0fed157
--- /dev/null
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/method/annotation/OAuth2ClientArgumentResolverTests.java
@@ -0,0 +1,260 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.client.web.method.annotation;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.core.MethodParameter;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.client.ClientAuthorizationRequiredException;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
+import org.springframework.security.oauth2.client.annotation.OAuth2Client;
+import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.util.ReflectionUtils;
+
+import java.lang.reflect.Method;
+
+import static org.assertj.core.api.AssertionsForClassTypes.assertThatThrownBy;
+import static org.assertj.core.api.AssertionsForInterfaceTypes.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+/**
+ * Tests for {@link OAuth2ClientArgumentResolver}.
+ *
+ * @author Joe Grandja
+ */
+public class OAuth2ClientArgumentResolverTests {
+	private ClientRegistrationRepository clientRegistrationRepository;
+	private OAuth2AuthorizedClientService authorizedClientService;
+	private OAuth2ClientArgumentResolver argumentResolver;
+	private ClientRegistration clientRegistration;
+	private OAuth2AuthorizedClient authorizedClient;
+	private OAuth2AccessToken accessToken;
+
+	@Before
+	public void setUp() {
+		this.clientRegistrationRepository = mock(ClientRegistrationRepository.class);
+		this.authorizedClientService = mock(OAuth2AuthorizedClientService.class);
+		this.argumentResolver = new OAuth2ClientArgumentResolver(
+			this.clientRegistrationRepository, this.authorizedClientService);
+		this.clientRegistration = ClientRegistration.withRegistrationId("client1")
+				.clientId("client-id")
+				.clientSecret("secret")
+				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+				.redirectUriTemplate("{baseUrl}/client1")
+				.scope("scope1", "scope2")
+				.authorizationUri("https://provider.com/oauth2/auth")
+				.tokenUri("https://provider.com/oauth2/token")
+				.clientName("Client 1")
+				.build();
+		when(this.clientRegistrationRepository.findByRegistrationId(anyString())).thenReturn(this.clientRegistration);
+		this.authorizedClient = mock(OAuth2AuthorizedClient.class);
+		when(this.authorizedClientService.loadAuthorizedClient(anyString(), any())).thenReturn(this.authorizedClient);
+		this.accessToken = mock(OAuth2AccessToken.class);
+		when(this.authorizedClient.getAccessToken()).thenReturn(this.accessToken);
+		SecurityContext securityContext = SecurityContextHolder.createEmptyContext();
+		securityContext.setAuthentication(mock(Authentication.class));
+		SecurityContextHolder.setContext(securityContext);
+	}
+
+	@Test
+	public void constructorWhenClientRegistrationRepositoryIsNullThenThrowIllegalArgumentException() {
+		assertThatThrownBy(() -> new OAuth2ClientArgumentResolver(null, this.authorizedClientService))
+				.isInstanceOf(IllegalArgumentException.class);
+	}
+
+	@Test
+	public void constructorWhenOAuth2AuthorizedClientServiceIsNullThenThrowIllegalArgumentException() {
+		assertThatThrownBy(() -> new OAuth2ClientArgumentResolver(this.clientRegistrationRepository, null))
+				.isInstanceOf(IllegalArgumentException.class);
+	}
+
+	@Test
+	public void supportsParameterWhenParameterTypeOAuth2AccessTokenThenTrue() {
+		MethodParameter methodParameter = this.getMethodParameter("paramTypeAccessToken", OAuth2AccessToken.class);
+		assertThat(this.argumentResolver.supportsParameter(methodParameter)).isTrue();
+	}
+
+	@Test
+	public void supportsParameterWhenParameterTypeOAuth2AccessTokenWithoutAnnotationThenFalse() {
+		MethodParameter methodParameter = this.getMethodParameter("paramTypeAccessTokenWithoutAnnotation", OAuth2AccessToken.class);
+		assertThat(this.argumentResolver.supportsParameter(methodParameter)).isFalse();
+	}
+
+	@Test
+	public void supportsParameterWhenParameterTypeOAuth2AuthorizedClientThenTrue() {
+		MethodParameter methodParameter = this.getMethodParameter("paramTypeAuthorizedClient", OAuth2AuthorizedClient.class);
+		assertThat(this.argumentResolver.supportsParameter(methodParameter)).isTrue();
+	}
+
+	@Test
+	public void supportsParameterWhenParameterTypeOAuth2AuthorizedClientWithoutAnnotationThenFalse() {
+		MethodParameter methodParameter = this.getMethodParameter("paramTypeAuthorizedClientWithoutAnnotation", OAuth2AuthorizedClient.class);
+		assertThat(this.argumentResolver.supportsParameter(methodParameter)).isFalse();
+	}
+
+	@Test
+	public void supportsParameterWhenParameterTypeClientRegistrationThenTrue() {
+		MethodParameter methodParameter = this.getMethodParameter("paramTypeClientRegistration", ClientRegistration.class);
+		assertThat(this.argumentResolver.supportsParameter(methodParameter)).isTrue();
+	}
+
+	@Test
+	public void supportsParameterWhenParameterTypeClientRegistrationWithoutAnnotationThenFalse() {
+		MethodParameter methodParameter = this.getMethodParameter("paramTypeClientRegistrationWithoutAnnotation", ClientRegistration.class);
+		assertThat(this.argumentResolver.supportsParameter(methodParameter)).isFalse();
+	}
+
+	@Test
+	public void supportsParameterWhenParameterTypeUnsupportedThenFalse() {
+		MethodParameter methodParameter = this.getMethodParameter("paramTypeUnsupported", String.class);
+		assertThat(this.argumentResolver.supportsParameter(methodParameter)).isFalse();
+	}
+
+	@Test
+	public void supportsParameterWhenParameterTypeUnsupportedWithoutAnnotationThenFalse() {
+		MethodParameter methodParameter = this.getMethodParameter("paramTypeUnsupportedWithoutAnnotation", String.class);
+		assertThat(this.argumentResolver.supportsParameter(methodParameter)).isFalse();
+	}
+
+	@Test
+	public void resolveArgumentWhenRegistrationIdEmptyAndNotOAuth2AuthenticationThenThrowIllegalArgumentException() throws Exception {
+		MethodParameter methodParameter = this.getMethodParameter("registrationIdEmpty", OAuth2AccessToken.class);
+		assertThatThrownBy(() -> this.argumentResolver.resolveArgument(methodParameter, null, null, null))
+				.isInstanceOf(IllegalArgumentException.class)
+				.hasMessage("Unable to resolve the Client Registration Identifier. It must be provided via @OAuth2Client(\"client1\") or @OAuth2Client(registrationId = \"client1\").");
+	}
+
+	@Test
+	public void resolveArgumentWhenRegistrationIdEmptyAndOAuth2AuthenticationThenResolves() throws Exception {
+		OAuth2AuthenticationToken authentication = mock(OAuth2AuthenticationToken.class);
+		when(authentication.getAuthorizedClientRegistrationId()).thenReturn("client1");
+		SecurityContext securityContext = SecurityContextHolder.createEmptyContext();
+		securityContext.setAuthentication(authentication);
+		SecurityContextHolder.setContext(securityContext);
+		MethodParameter methodParameter = this.getMethodParameter("registrationIdEmpty", OAuth2AccessToken.class);
+		this.argumentResolver.resolveArgument(methodParameter, null, null, null);
+	}
+
+	@Test
+	public void resolveArgumentWhenClientRegistrationFoundThenResolves() throws Exception {
+		MethodParameter methodParameter = this.getMethodParameter("paramTypeClientRegistration", ClientRegistration.class);
+		assertThat(this.argumentResolver.resolveArgument(methodParameter, null, null, null)).isSameAs(this.clientRegistration);
+	}
+
+	@Test
+	public void resolveArgumentWhenClientRegistrationNotFoundThenThrowIllegalArgumentException() throws Exception {
+		when(this.clientRegistrationRepository.findByRegistrationId(anyString())).thenReturn(null);
+		MethodParameter methodParameter = this.getMethodParameter("paramTypeClientRegistration", ClientRegistration.class);
+		assertThatThrownBy(() -> this.argumentResolver.resolveArgument(methodParameter, null, null, null))
+				.isInstanceOf(IllegalArgumentException.class)
+				.hasMessage("Unable to find ClientRegistration with registration identifier \"client1\".");
+	}
+
+	@Test
+	public void resolveArgumentWhenParameterTypeOAuth2AuthorizedClientAndCurrentAuthenticationNullThenThrowIllegalStateException() throws Exception {
+		SecurityContextHolder.clearContext();
+		MethodParameter methodParameter = this.getMethodParameter("paramTypeAuthorizedClient", OAuth2AuthorizedClient.class);
+		assertThatThrownBy(() -> this.argumentResolver.resolveArgument(methodParameter, null, null, null))
+				.isInstanceOf(IllegalStateException.class)
+				.hasMessage("Unable to resolve the Authorized Client with registration identifier \"client1\". " +
+						"An \"authenticated\" or \"unauthenticated\" session is required. " +
+						"To allow for unauthenticated access, ensure HttpSecurity.anonymous() is configured.");
+	}
+
+	@Test
+	public void resolveArgumentWhenOAuth2AuthorizedClientFoundThenResolves() throws Exception {
+		MethodParameter methodParameter = this.getMethodParameter("paramTypeAuthorizedClient", OAuth2AuthorizedClient.class);
+		assertThat(this.argumentResolver.resolveArgument(methodParameter, null, null, null)).isSameAs(this.authorizedClient);
+	}
+
+	@Test
+	public void resolveArgumentWhenOAuth2AuthorizedClientNotFoundThenThrowClientAuthorizationRequiredException() throws Exception {
+		when(this.authorizedClientService.loadAuthorizedClient(anyString(), any())).thenReturn(null);
+		MethodParameter methodParameter = this.getMethodParameter("paramTypeAuthorizedClient", OAuth2AuthorizedClient.class);
+		assertThatThrownBy(() -> this.argumentResolver.resolveArgument(methodParameter, null, null, null))
+				.isInstanceOf(ClientAuthorizationRequiredException.class);
+	}
+
+	@Test
+	public void resolveArgumentWhenOAuth2AccessTokenAndOAuth2AuthorizedClientFoundThenResolves() throws Exception {
+		MethodParameter methodParameter = this.getMethodParameter("paramTypeAccessToken", OAuth2AccessToken.class);
+		assertThat(this.argumentResolver.resolveArgument(methodParameter, null, null, null)).isSameAs(this.authorizedClient.getAccessToken());
+	}
+
+	@Test
+	public void resolveArgumentWhenOAuth2AccessTokenAndOAuth2AuthorizedClientNotFoundThenThrowClientAuthorizationRequiredException() throws Exception {
+		when(this.authorizedClientService.loadAuthorizedClient(anyString(), any())).thenReturn(null);
+		MethodParameter methodParameter = this.getMethodParameter("paramTypeAccessToken", OAuth2AccessToken.class);
+		assertThatThrownBy(() -> this.argumentResolver.resolveArgument(methodParameter, null, null, null))
+				.isInstanceOf(ClientAuthorizationRequiredException.class);
+	}
+
+	@Test
+	public void resolveArgumentWhenOAuth2AccessTokenAndAnnotationRegistrationIdSetThenResolves() throws Exception {
+		MethodParameter methodParameter = this.getMethodParameter("paramTypeAccessTokenAnnotationRegistrationId", OAuth2AccessToken.class);
+		assertThat(this.argumentResolver.resolveArgument(methodParameter, null, null, null)).isSameAs(this.authorizedClient.getAccessToken());
+	}
+
+	private MethodParameter getMethodParameter(String methodName, Class<?>... paramTypes) {
+		Method method = ReflectionUtils.findMethod(TestController.class, methodName, paramTypes);
+		return new MethodParameter(method, 0);
+	}
+
+	static class TestController {
+		void paramTypeAccessToken(@OAuth2Client("client1") OAuth2AccessToken accessToken) {
+		}
+
+		void paramTypeAccessTokenWithoutAnnotation(OAuth2AccessToken accessToken) {
+		}
+
+		void paramTypeAuthorizedClient(@OAuth2Client("client1") OAuth2AuthorizedClient authorizedClient) {
+		}
+
+		void paramTypeAuthorizedClientWithoutAnnotation(OAuth2AuthorizedClient authorizedClient) {
+		}
+
+		void paramTypeClientRegistration(@OAuth2Client("client1") ClientRegistration clientRegistration) {
+		}
+
+		void paramTypeClientRegistrationWithoutAnnotation(ClientRegistration clientRegistration) {
+		}
+
+		void paramTypeUnsupported(@OAuth2Client("client1") String param) {
+		}
+
+		void paramTypeUnsupportedWithoutAnnotation(String param) {
+		}
+
+		void registrationIdEmpty(@OAuth2Client OAuth2AccessToken accessToken) {
+		}
+
+		void paramTypeAccessTokenAnnotationRegistrationId(@OAuth2Client(registrationId = "client1") OAuth2AccessToken accessToken) {
+		}
+	}
+}
diff --git a/samples/boot/oauth2/authcodegrant/src/main/java/sample/web/MainController.java b/samples/boot/oauth2/authcodegrant/src/main/java/sample/web/GitHubReposController.java
similarity index 73%
rename from samples/boot/oauth2/authcodegrant/src/main/java/sample/web/MainController.java
rename to samples/boot/oauth2/authcodegrant/src/main/java/sample/web/GitHubReposController.java
index f0e525a270..f32bdfe450 100644
--- a/samples/boot/oauth2/authcodegrant/src/main/java/sample/web/MainController.java
+++ b/samples/boot/oauth2/authcodegrant/src/main/java/sample/web/GitHubReposController.java
@@ -15,12 +15,9 @@
  */
 package sample.web;
 
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpHeaders;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.oauth2.client.ClientAuthorizationRequiredException;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
-import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
+import org.springframework.security.oauth2.client.annotation.OAuth2Client;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -35,9 +32,7 @@ import java.util.List;
  * @author Joe Grandja
  */
 @Controller
-public class MainController {
-	@Autowired
-	private OAuth2AuthorizedClientService authorizedClientService;
+public class GitHubReposController {
 
 	@GetMapping("/")
 	public String index() {
@@ -45,16 +40,7 @@ public class MainController {
 	}
 
 	@GetMapping("/repos")
-	public String gitHubRepos(Model model, Authentication authentication) {
-		String registrationId = "github";
-
-		OAuth2AuthorizedClient authorizedClient =
-			this.authorizedClientService.loadAuthorizedClient(
-				registrationId, authentication.getName());
-		if (authorizedClient == null) {
-			throw new ClientAuthorizationRequiredException(registrationId);
-		}
-
+	public String gitHubRepos(Model model, @OAuth2Client("github") OAuth2AuthorizedClient authorizedClient) {
 		String endpointUri = "https://api.github.com/user/repos";
 		List repos = WebClient.builder()
 			.filter(oauth2Credentials(authorizedClient))
diff --git a/samples/boot/oauth2login/src/integration-test/java/org/springframework/security/samples/OAuth2LoginApplicationTests.java b/samples/boot/oauth2login/src/integration-test/java/org/springframework/security/samples/OAuth2LoginApplicationTests.java
index 90d96e3fd1..1c722da290 100644
--- a/samples/boot/oauth2login/src/integration-test/java/org/springframework/security/samples/OAuth2LoginApplicationTests.java
+++ b/samples/boot/oauth2login/src/integration-test/java/org/springframework/security/samples/OAuth2LoginApplicationTests.java
@@ -145,7 +145,7 @@ public class OAuth2LoginApplicationTests {
 	}
 
 	@Test
-	public void requestAuthorizeClientWhenInvalidClientThenStatusBadRequest() throws Exception {
+	public void requestAuthorizeClientWhenInvalidClientThenStatusInternalServerError() throws Exception {
 		HtmlPage page = this.webClient.getPage("/");
 
 		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("google");
@@ -161,7 +161,7 @@ public class OAuth2LoginApplicationTests {
 			response = ex.getResponse();
 		}
 
-		assertThat(response.getStatusCode()).isEqualTo(HttpStatus.BAD_REQUEST.value());
+		assertThat(response.getStatusCode()).isEqualTo(HttpStatus.INTERNAL_SERVER_ERROR.value());
 	}
 
 	@Test
diff --git a/samples/boot/oauth2login/src/main/java/sample/web/MainController.java b/samples/boot/oauth2login/src/main/java/sample/web/OAuth2LoginController.java
similarity index 66%
rename from samples/boot/oauth2login/src/main/java/sample/web/MainController.java
rename to samples/boot/oauth2login/src/main/java/sample/web/OAuth2LoginController.java
index 45b93d678b..4f8fa14ca8 100644
--- a/samples/boot/oauth2login/src/main/java/sample/web/MainController.java
+++ b/samples/boot/oauth2login/src/main/java/sample/web/OAuth2LoginController.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,15 +15,13 @@
  */
 package sample.web;
 
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpHeaders;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
-import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
-import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
+import org.springframework.security.oauth2.client.annotation.OAuth2Client;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.util.StringUtils;
-import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.reactive.function.client.ClientRequest;
 import org.springframework.web.reactive.function.client.ExchangeFilterFunction;
 import org.springframework.web.reactive.function.client.WebClient;
@@ -36,22 +34,17 @@ import java.util.Map;
  * @author Joe Grandja
  */
 @Controller
-public class MainController {
+public class OAuth2LoginController {
 
-	@Autowired
-	private OAuth2AuthorizedClientService authorizedClientService;
-
-	@RequestMapping("/")
-	public String index(Model model, OAuth2AuthenticationToken authentication) {
-		OAuth2AuthorizedClient authorizedClient = this.getAuthorizedClient(authentication);
-		model.addAttribute("userName", authentication.getName());
+	@GetMapping("/")
+	public String index(Model model, @OAuth2Client OAuth2AuthorizedClient authorizedClient) {
+		model.addAttribute("userName", authorizedClient.getPrincipalName());
 		model.addAttribute("clientName", authorizedClient.getClientRegistration().getClientName());
 		return "index";
 	}
 
-	@RequestMapping("/userinfo")
-	public String userinfo(Model model, OAuth2AuthenticationToken authentication) {
-		OAuth2AuthorizedClient authorizedClient = this.getAuthorizedClient(authentication);
+	@GetMapping("/userinfo")
+	public String userinfo(Model model, @OAuth2Client OAuth2AuthorizedClient authorizedClient) {
 		Map userAttributes = Collections.emptyMap();
 		String userInfoEndpointUri = authorizedClient.getClientRegistration()
 			.getProviderDetails().getUserInfoEndpoint().getUri();
@@ -69,11 +62,6 @@ public class MainController {
 		return "userinfo";
 	}
 
-	private OAuth2AuthorizedClient getAuthorizedClient(OAuth2AuthenticationToken authentication) {
-		return this.authorizedClientService.loadAuthorizedClient(
-			authentication.getAuthorizedClientRegistrationId(), authentication.getName());
-	}
-
 	private ExchangeFilterFunction oauth2Credentials(OAuth2AuthorizedClient authorizedClient) {
 		return ExchangeFilterFunction.ofRequestProcessor(
 			clientRequest -> {