Auto-configuration overrides authorization server configuration applied by Customizer<HttpSecurity> beans

[rwinch]

Spring Boot's auto configuration should use HttpSecurity.oauth2AuthorizationServer instead of HttpSecurity.with.

• Spring Boot's auto configuration currently overrides authorization server configuration applied by users providing Customizer<HttpSecurity> Beans. Switching to oauth2AuthorzationServer (which caches previous invocations made by the Customizer<HttpSecurity>) will fix this problem.
• The built in DSL is the modern and documented way to configure Authorization Server in Spring Security 7.

[wilkinsona]

Thanks, @rwinch. Just double-checking, this sounds like a bug that we should fix in 4.0.x. Do you agree?

[rwinch]

Thanks @wilkinsona Yes, ideally it would be fixed in 4.0.x as well