UnsatisfiedDependencyException for OAuth2AuthorizedClientManagerRegistrar in Spring Security 6.2.8

[mantu-ms]

Describe the bug
I encountered an UnsatisfiedDependencyException while migrating from Spring Security 6.1.9 to 6.2.8. The exception occurs during the initialization of the OAuth2ClientConfiguration class, specifically when trying to create a bean for OAuth2AuthorizedClientManagerRegistrar.

ERROR [main] (ContextLoader.java294) - Context initialization failed 2025-04-22 20:14:02 org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2ClientWebMvcSecurityConfiguration': Unsatisfied dependency expressed through method 'setAuthorizedClientManagerRegistrar' parameter 0: No qualifying bean of type 'org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2AuthorizedClientManagerRegistrar' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {}

To Reproduce

• Upgrade Spring Security from 6.1.9 to 6.2.8.

• Attempt to initialize the application context.

Expected behavior
The application context should initialize without errors, and the OAuth2AuthorizedClientManagerRegistrar bean should be correctly registered.

Actual Behavior
The application fails to initialize, throwing an UnsatisfiedDependencyException due to the missing OAuth2AuthorizedClientManagerRegistrar bean.

Sample Configuration

`
@configuration
public class CustomOAuth2ClientConfig {

    @bean
    public OAuth2AuthorizedClientManager authorizedClientManager(
            ClientRegistrationRepository clientRegistrationRepository,
            OAuth2AuthorizedClientRepository authorizedClientRepository) {
        OAuth2AuthorizedClientProvider authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
                .authorizationCode()
                .refreshToken()
                .clientCredentials()
                .password()
                .build();
        DefaultOAuth2AuthorizedClientManager authorizedClientManager =
                new DefaultOAuth2AuthorizedClientManager(clientRegistrationRepository, authorizedClientRepository);
        authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
        return authorizedClientManager;
    }
`
Additional Information

• CustomOAuth2ClientConfig has other bean configuration like ClientRegistrationRepository, OAuth2ProtectedResourceDetailsCustom, OAuth2AuthorizedClientService, OAuth2AuthorizedClientRepository, AuthorizationRequestRepository, OAuth2AuthorizationRequestRedirectFilter, CustomOAuth2AuthorizationRequestResolver, CustomOAuth2LoginAuthenticationFilter, CustomOAuth2LoginAuthenticationProvider, DefaultAuthorizationCodeTokenResponseClient, CustomOAuth2UserService, OAuthAuthenticationFailureHandler

• The migration guide for Spring Security 6.2 does not mention changes related to OAuth2AuthorizedClientManagerRegistrar, this was not there in 6.1.x, it's added in 6.2.x

• @import Initialization Order in OAuth2ClientConfiguration could be problems ? : The OAuth2ClientWebMvcImportSelector is initialized before the OAuth2AuthorizedClientManagerConfiguration, but the latter creates the authorizedClientManagerRegistrar bean, which is required during the initialization of the former.

Environment:

Spring Security version: 6.2.8
Java version: 17
Build tool: Maven

Request for Help: I would appreciate any guidance on resolving this issue or confirmation if there is any config issue in my code

[jzheaux]

Hi, @mantu-ms. Both 6.1.x and 6.2.x are no longer supported, though if it is indeed a bug, it may be in supported versions os Spring Security as well.

Are you able to create a minimal GitHub sample that reproduces the issue and that is based on 6.3.x or another supported release?

[mantu-ms]

@jzheaux thanks for your attention , I tried with 6.4.5 as well , getting same error.

I will try to create a minimal sample and reproduce it . Just an FYI my project is not on spring boot.

One question regarding the import order in OAuth2ClientConfiguration.java, The OAuth2ClientWebMvcImportSelector is initialized before the OAuth2AuthorizedClientManagerConfiguration, but the latter creates the authorizedClientManagerRegistrar bean, which is required during the initialization of the former.

#https://github.com/spring-projects/spring-security/blob/main/config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java

[mantu-ms]

Hey @jzheaux

I have created a sample that reproduce the issue (with latest version spring 6.2.6 and security 6.4.5).

https://github.com/mantusingh/spring-security-issue/tree/main/spring-security-issue

Run :- ./run-docker.sh (https://github.com/mantusingh/spring-security-issue/blob/main/README.md )

Spring Security attempts to create two beans with the same name, one from "org.springframework.security.config.http.OAuth2AuthorizedClientManagerRegistrar" and another from "org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2AuthorizedClientManagerRegistrar". This leads to a conflict during Spring container initialization. Below is the detailed analysis:

---

Bean Registration via SecurityNamespaceHandler:
If security tags (e.g., <http></http>) are defined in applicationContext.xml, the SecurityNamespaceHandler uses HttpSecurityBeanDefinitionParser to parse these tags. During this process, the AuthenticationConfigBuilder.registerOAuth2ClientPostProcessors() method registers the bean org.springframework.security.config.http.OAuth2AuthorizedClientManagerRegistrar with the name authorizedClientManagerRegistrar:

private void registerOAuth2ClientPostProcessors() {
    if (!this.oauth2LoginEnabled && !this.oauth2ClientEnabled) {
        return;
    }
    if (webMvcPresent) {
        this.pc.getReaderContext()
            .registerWithGeneratedName(new RootBeanDefinition(OAuth2ClientWebMvcSecurityPostProcessor.class));
    }
    this.pc.getReaderContext()
        .getRegistry()
        .registerBeanDefinition(OAuth2AuthorizedClientManagerRegistrar.BEAN_NAME,
                new RootBeanDefinition(OAuth2AuthorizedClientManagerRegistrar.class));
}

Configuration Class Processing:
Later, the ConfigurationClassBeanDefinitionReader processes configuration classes and attempts to load the bean definition for org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2AuthorizedClientManagerRegistrar. However, it skips this bean definition because a bean with the same name (authorizedClientManagerRegistrar) already exists. The following debug message is logged:

DEBUG [main] (ConfigurationClassBeanDefinitionReader.java347) - Skipping bean definition for BeanMethod: org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2AuthorizedClientManagerConfiguration.authorizedClientManagerRegistrar(): a definition for bean 'authorizedClientManagerRegistrar' already exists. This top-level bean definition is considered as an override.

Dependency Resolution Failure:
The OAuth2ClientConfiguration.OAuth2ClientWebMvcSecurityConfiguration class requires org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2AuthorizedClientManagerRegistrar as a constructor dependency. Since the bean definition for this class was skipped, the Spring container fails to initialize, resulting in the following exception:

org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2ClientWebMvcSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 2: 
No qualifying bean of type 'org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2AuthorizedClientManagerRegistrar' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {}

[mantu-ms]

@jzheaux @spring-projects-issues Can anyone please check on this issue?

[mantu-ms]

@jzheaux Can anyone please check on this issue?

[jgrandja]

@mantu-ms I took a look at your sample and you are configuring Spring Security in both the XML Config and Java Config.

XML Config and Java Config are not intended to be compatible and you really need to choose one approach for configuration (XML or Java). Having said that, it might be possible to get both approaches working but it could lead to unexpected behaviour.

I'm going to close this as a misconfiguration.