WebClientReactiveClientCredentialsTokenResponseClient should not set Authorization header when ClientAuthenticationMethod.POST

[aaronjwhiteside]

Summary

WebClientReactiveClientCredentialsTokenResponseClient always sets an Authorization header for basic auth even if the ClientAuthenticationMethod is POST.

Actual Behavior

ClientRegistration.withRegistrationId("xxxx)
     .clientAuthenticationMethod(ClientAuthenticationMethod.POST)
     // etc...

Results in a request being made to the tokenUri with Basic XXXX in the Authorization header.

Expected Behavior

There should be no Authorization header set at all, the client id and client secret should only be in the POST body.

Version

5.1.5.RELEASE

Looking at the code in WebClientReactiveClientCredentialsTokenResponseClient, it's obviously what the cause is:

	private Consumer<HttpHeaders> headers(ClientRegistration clientRegistration) {
		return headers -> {
			headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
			headers.setBasicAuth(clientRegistration.getClientId(), clientRegistration.getClientSecret());
			if (ClientAuthenticationMethod.BASIC.equals(clientRegistration.getClientAuthenticationMethod())) {
				headers.setBasicAuth(clientRegistration.getClientId(), clientRegistration.getClientSecret());
			}
		};
	}

Looks like someone forgot to remove the first call to headers.setBasicAuth() when adding the check for ClientAuthenticationMethod == BASIC...

[jgrandja]

Thanks for the report @aaronjwhiteside. The fix has been applied and pushed to master.