Add WebFlux @RegisteredOAuth2AuthorizedClient Reference

Fixes: gh-5864

docs/manual/src/docs/asciidoc/_includes/reactive/index.adoc

@@ -4,6 +4,8 @@ include::webflux.adoc[leveloffset=+1]
 
 include::oauth2/index.adoc[leveloffset=+1]
 
+include::registered-oauth2-authorized-client.adoc[leveloffset=+1]
+
 include::webclient.adoc[leveloffset=+1]
 
 include::method.adoc[leveloffset=+1]

docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/access-token.adoc

@@ -1,4 +1,5 @@
-= Access Token
+[[webflux-oauth2-client]]
+= OAuth2 Client
 
 Spring Security's OAuth Support allows obtaining an access token without authenticating.
 A basic configuration with Spring Boot can be seen below:
@@ -31,4 +32,4 @@ SecurityWebFilterChain configure(ServerHttpSecurity http) throws Exception {
 }
 ----
 
-You can now leverage Spring Security's <<webclient>> support to obtain and use the access token.
+You can now leverage Spring Security's <<webclient>> or <<webflux-roac,@RegisteredOAuth2AuthorizedClient>> support to obtain and use the access token.

docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/index.adoc

@@ -2,6 +2,6 @@
 
 Spring Security provides OAuth2 and WebFlux integration for reactive applications.
 
-include::login.adoc[leveloffset+=1]
+include::login.adoc[leveloffset=+1]
 
-include::access-token.adoc[leveloffset+=1]
+include::access-token.adoc[leveloffset=+1]

docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc

@@ -34,7 +34,7 @@ After completing the "Obtain OAuth 2.0 credentials" instructions, you should hav
 [[webflux-oauth2-login-sample-redirect]]
 === Setting the redirect URI
 
-The redirect URI is the path in the application that the end-user's user-agent is redirected back to after they have authenticated with Google and have granted access to the OAuth Client _(<<jc-oauth2login-sample-initial-setup,created in the previous step>>)_ on the Consent page.
+The redirect URI is the path in the application that the end-user's user-agent is redirected back to after they have authenticated with Google and have granted access to the OAuth Client _(<<webflux-oauth2-login-sample-setup,created in the previous step>>)_ on the Consent page.
 
 In the "Set a redirect URI" sub-section, ensure that the *Authorized redirect URIs* field is set to `http://localhost:8080/login/oauth2/code/google`.
 

docs/manual/src/docs/asciidoc/_includes/reactive/registered-oauth2-authorized-client.adoc

@@ -0,0 +1,39 @@
+[[webflux-roac]]
+= @RegisteredOAuth2AuthorizedClient
+
+Spring Security allows resolving an access token using `@RegisteredOAuth2AuthorizedClient`.
+
+[[NOTE]]
+====
+A working example can be found in {gh-samples-url}/boot/oauth2webclient-webflux[*OAuth 2.0 WebClient WebFlux sample*].
+====
+
+After configuring Spring Security for <<webflux-oauth2-login,OAuth2 Login>> or as an <<webflux-oauth2-client,OAuth2 Client>>, an `OAuth2AuthorizedClient` can be resolved using the following:
+
+[source,java]
+----
+@GetMapping("/explicit")
+Mono<String> explicit(@RegisteredOAuth2AuthorizedClient("client-id") OAuth2AuthorizedClient authorizedClient) {
+	// ...
+}
+----
+
+This integrates into Spring Security to provide the following features:
+
+* Spring Security will automatically refresh expired tokens (if a refresh token is present)
+* If an access token is requested and not present, Spring Security will automatically request the access token.
+** For `authorization_code` this involves performing the redirect and then replaying the original request
+** For `client_credentials` the token is simply requested and saved
+
+If the user authenticated using `oauth2Login()`, then the `client-id` is optional.
+For example, the following would work:
+
+[source,java]
+----
+@GetMapping("/implicit")
+Mono<String> implicit(@RegisteredOAuth2AuthorizedClient OAuth2AuthorizedClient authorizedClient) {
+	// ...
+}
+----
+
+This is convenient if the user always authenticates with OAuth2 Login and an access token from the same authorization server is needed.