Initialize RefreshOidcUserReactiveOAuth2AuthorizationSuccessHandler when jose is on classpath

Issue gh-17246
2026-03-11 00:54:32 +00:00 · 2026-03-09 16:45:30 -04:00 · 2026-03-09 16:45:30 -04:00 · 8c0d2cccf1
commit 8c0d2cccf1
parent 612f7884ea
2 changed files with 17 additions and 4 deletions
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java
@ -278,7 +278,7 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder {

 		/**
 		 * Sets a {@link ReactiveOAuth2AuthorizationSuccessHandler} to use for handling
-		 * successful refresh token response, defaults to
+		 * successful refresh token response, see
 		 * {@link RefreshOidcUserReactiveOAuth2AuthorizationSuccessHandler}.
 		 * @param authorizationSuccessHandler the
 		 * {@link ReactiveOAuth2AuthorizationSuccessHandler} to use
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/RefreshTokenReactiveOAuth2AuthorizedClientProvider.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/RefreshTokenReactiveOAuth2AuthorizedClientProvider.java
@ -36,6 +36,7 @@ import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
 import org.springframework.security.oauth2.core.OAuth2Token;
 import org.springframework.util.Assert;
+import org.springframework.util.ClassUtils;

 /**
 * An implementation of a {@link ReactiveOAuth2AuthorizedClientProvider} for the
@ -50,14 +51,25 @@ import org.springframework.util.Assert;
 public final class RefreshTokenReactiveOAuth2AuthorizedClientProvider
 		implements ReactiveOAuth2AuthorizedClientProvider {

+	private static final boolean josePresent = ClassUtils.isPresent(
+			"org.springframework.security.oauth2.jwt.ReactiveJwtDecoder",
+			RefreshTokenReactiveOAuth2AuthorizedClientProvider.class.getClassLoader());
+
 	private ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> accessTokenResponseClient = new WebClientReactiveRefreshTokenTokenResponseClient();

-	private ReactiveOAuth2AuthorizationSuccessHandler authorizationSuccessHandler = new RefreshOidcUserReactiveOAuth2AuthorizationSuccessHandler();
+	private ReactiveOAuth2AuthorizationSuccessHandler authorizationSuccessHandler = (authorizedClient, principal,
+			attributes) -> Mono.empty();

 	private Duration clockSkew = Duration.ofSeconds(60);

 	private Clock clock = Clock.systemUTC();

+	public RefreshTokenReactiveOAuth2AuthorizedClientProvider() {
+		if (josePresent) {
+			this.authorizationSuccessHandler = new RefreshOidcUserReactiveOAuth2AuthorizationSuccessHandler();
+		}
+	}
+
 	/**
 	 * Attempt to re-authorize the
 	 * {@link OAuth2AuthorizationContext#getClientRegistration() client} in the provided
@ -128,8 +140,9 @@ public final class RefreshTokenReactiveOAuth2AuthorizedClientProvider

 	/**
 	 * Sets a {@link ReactiveOAuth2AuthorizationSuccessHandler} to use for handling
-	 * successful refresh token response, defaults to
-	 * {@link RefreshOidcUserReactiveOAuth2AuthorizationSuccessHandler}.
+	 * successful refresh token response. Defaults to
+	 * {@link RefreshOidcUserReactiveOAuth2AuthorizationSuccessHandler}, when
+	 * {@code spring-security-oauth2-jose} is available on the classpath.
 	 * @param authorizationSuccessHandler the
 	 * {@link ReactiveOAuth2AuthorizationSuccessHandler} to use
 	 * @since 7.1