How to set timeouts for ClientCredentials token requests in Spring Security 6.5.1? I'm using Spring Security OAuth2 Client 6.5.1 with ClientCredentials grant type, and need to set connect/read timeouts for token requests to the authorization server. The recommended class is RestClientClientCredentialsTokenResponseClient, but I'm having trouble configuring timeouts properly. When I create a custom RestClient with timeout settings and set it via setRestClient(), I lose the default message converters and error handlers that RestClientClientCredentialsTokenResponseClient uses (like FormHttpMessageConverter and OAuth2AccessTokenResponseHttpMessageConverter), which breaks token parsing. Is there a clean way to add timeout configurations to RestClientClientCredentialsTokenResponseClient without overwriting its default settings? Using Spring Boot 3.2.5, Spring Security 6.5.1.
@Configuration
public class OAuth2ClientConfig {
private RestClient createTimeoutRestClient() {
FormHttpMessageConverter formHttpMessageConverter = new FormHttpMessageConverter();
OAuth2AccessTokenResponseHttpMessageConverter tokenResponseConverter =
new OAuth2AccessTokenResponseHttpMessageConverter();
return RestClient.builder()
//customized timeout settings
.requestFactory(() -> {
SimpleClientHttpRequestFactory requestFactory = new SimpleClientHttpRequestFactory();
requestFactory.setConnectTimeout(3000);
requestFactory.setReadTimeout(5000);
return requestFactory;
})
//default settings, copy from RestClientClientCredentialsTokenResponseClient();
.messageConverters(converters -> {
converters.clear();
converters.add(formHttpMessageConverter);
converters.add(tokenResponseConverter);
})
.defaultStatusHandler(new OAuth2ErrorResponseErrorHandler())
.build();
}
private RestClientClientCredentialsTokenResponseClient createTokenResponseClient() {
RestClientClientCredentialsTokenResponseClient tokenResponseClient =
new RestClientClientCredentialsTokenResponseClient();
tokenResponseClient.setRestClient(createTimeoutRestClient());
return tokenResponseClient;
}
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
ClientRegistrationRepository clientRegistrationRepository,
OAuth2AuthorizedClientService authorizedClientService) {
ClientCredentialsOAuth2AuthorizedClientProvider provider =
new ClientCredentialsOAuth2AuthorizedClientProvider();
provider.setAccessTokenResponseClient(createTokenResponseClient());
AuthorizedClientServiceOAuth2AuthorizedClientManager manager =
new AuthorizedClientServiceOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientService);
manager.setAuthorizedClientProvider(provider);
return manager;
}
}
Are there any built-in Spring Security or Spring Boot APIs I’m missing to configure timeouts for OAuth2 token requests? Any best practices or code examples would be greatly appreciated!
i read through the source code and no there is no "clean way" to do so since the RestClient itself is an immutable construct, which means when you have created one it cant be changed.
The base RestClient is created in a private field https://github.com/spring-projects/spring-security/blob/f3761aff990cf043b5793a609623eda8e2756424/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AbstractRestClientOAuth2AccessTokenResponseClient.java#L65
And when you set i different one, you are basically replacing the internal one.
You will have to submit a feature request to spring security of setting timeouts, and then if they will mutate the RestClient.
My guess to why it is designed like this is that the RestClient is just a Wrapper around the client that is provided by the underlying webserver. So when setting timeouts its done on the underlying client, which is very deep inside the implementation.
But that is just a guess.