Skip to content

UnsatisfiedDependencyException for OAuth2AuthorizedClientManagerRegistrar in Spring Security 6.2.8 #17009

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mantu-ms opened this issue Apr 28, 2025 · 3 comments
Open

UnsatisfiedDependencyException for OAuth2AuthorizedClientManagerRegistrar in Spring Security 6.2.8 #17009

mantu-ms opened this issue Apr 28, 2025 · 3 comments
Labels
status: feedback-provided Feedback has been provided

Comments

@mantu-ms
Copy link

Describe the bug
I encountered an UnsatisfiedDependencyException while migrating from Spring Security 6.1.9 to 6.2.8. The exception occurs during the initialization of the OAuth2ClientConfiguration class, specifically when trying to create a bean for OAuth2AuthorizedClientManagerRegistrar.

ERROR [main] (ContextLoader.java294) - Context initialization failed 2025-04-22 20:14:02 org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2ClientWebMvcSecurityConfiguration': Unsatisfied dependency expressed through method 'setAuthorizedClientManagerRegistrar' parameter 0: No qualifying bean of type 'org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2AuthorizedClientManagerRegistrar' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {}

To Reproduce

  • Upgrade Spring Security from 6.1.9 to 6.2.8.

  • Attempt to initialize the application context.

Expected behavior
The application context should initialize without errors, and the OAuth2AuthorizedClientManagerRegistrar bean should be correctly registered.

Actual Behavior
The application fails to initialize, throwing an UnsatisfiedDependencyException due to the missing OAuth2AuthorizedClientManagerRegistrar bean.

Sample Configuration

`
@configuration
public class CustomOAuth2ClientConfig {

    @bean
    public OAuth2AuthorizedClientManager authorizedClientManager(
            ClientRegistrationRepository clientRegistrationRepository,
            OAuth2AuthorizedClientRepository authorizedClientRepository) {
        OAuth2AuthorizedClientProvider authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
                .authorizationCode()
                .refreshToken()
                .clientCredentials()
                .password()
                .build();
        DefaultOAuth2AuthorizedClientManager authorizedClientManager =
                new DefaultOAuth2AuthorizedClientManager(clientRegistrationRepository, authorizedClientRepository);
        authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
        return authorizedClientManager;
    }
`
Additional Information

  • CustomOAuth2ClientConfig has other bean configuration like ClientRegistrationRepository, OAuth2ProtectedResourceDetailsCustom, OAuth2AuthorizedClientService, OAuth2AuthorizedClientRepository, AuthorizationRequestRepository, OAuth2AuthorizationRequestRedirectFilter, CustomOAuth2AuthorizationRequestResolver, CustomOAuth2LoginAuthenticationFilter, CustomOAuth2LoginAuthenticationProvider, DefaultAuthorizationCodeTokenResponseClient, CustomOAuth2UserService, OAuthAuthenticationFailureHandler

  • The migration guide for Spring Security 6.2 does not mention changes related to OAuth2AuthorizedClientManagerRegistrar, this was not there in 6.1.x, it's added in 6.2.x

  • @import Initialization Order in OAuth2ClientConfiguration could be problems ? : The OAuth2ClientWebMvcImportSelector is initialized before the OAuth2AuthorizedClientManagerConfiguration, but the latter creates the authorizedClientManagerRegistrar bean, which is required during the initialization of the former.

Environment:

Spring Security version: 6.2.8
Java version: 17
Build tool: Maven

Request for Help: I would appreciate any guidance on resolving this issue or confirmation if there is any config issue in my code
@mantu-ms mantu-ms added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Apr 28, 2025
@jzheaux
Copy link
Contributor

jzheaux commented May 2, 2025

Hi, @mantu-ms. Both 6.1.x and 6.2.x are no longer supported, though if it is indeed a bug, it may be in supported versions os Spring Security as well.

Are you able to create a minimal GitHub sample that reproduces the issue and that is based on 6.3.x or another supported release?

@jzheaux jzheaux added status: waiting-for-feedback We need additional information before we can continue and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels May 2, 2025
@mantu-ms
Copy link
Author

mantu-ms commented May 3, 2025

@jzheaux thanks for your attention , I tried with 6.4.5 as well , getting same error.

I will try to create a minimal sample and reproduce it . Just an FYI my project is not on spring boot.

One question regarding the import order in OAuth2ClientConfiguration.java, The OAuth2ClientWebMvcImportSelector is initialized before the OAuth2AuthorizedClientManagerConfiguration, but the latter creates the authorizedClientManagerRegistrar bean, which is required during the initialization of the former.

#https://github.com/spring-projects/spring-security/blob/main/config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels May 3, 2025
@mantu-ms
Copy link
Author

mantu-ms commented May 5, 2025
edited
Loading

Hey @jzheaux

I have created a sample that reproduce the issue (with latest version spring 6.2.6 and security 6.4.5).

https://github.com/mantusingh/spring-security-issue/tree/main/spring-security-issue

Run :- ./run-docker.sh (https://github.com/mantusingh/spring-security-issue/blob/main/README.md )

Spring Security attempts to create two beans with the same name, one from "org.springframework.security.config.http.OAuth2AuthorizedClientManagerRegistrar" and another from "org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2AuthorizedClientManagerRegistrar". This leads to a conflict during Spring container initialization. Below is the detailed analysis:

Bean Registration via SecurityNamespaceHandler:
If security tags (e.g., <http></http>) are defined in applicationContext.xml, the SecurityNamespaceHandler uses HttpSecurityBeanDefinitionParser to parse these tags. During this process, the AuthenticationConfigBuilder.registerOAuth2ClientPostProcessors() method registers the bean org.springframework.security.config.http.OAuth2AuthorizedClientManagerRegistrar with the name authorizedClientManagerRegistrar:

private void registerOAuth2ClientPostProcessors() {
    if (!this.oauth2LoginEnabled && !this.oauth2ClientEnabled) {
        return;
    }
    if (webMvcPresent) {
        this.pc.getReaderContext()
            .registerWithGeneratedName(new RootBeanDefinition(OAuth2ClientWebMvcSecurityPostProcessor.class));
    }
    this.pc.getReaderContext()
        .getRegistry()
        .registerBeanDefinition(OAuth2AuthorizedClientManagerRegistrar.BEAN_NAME,
                new RootBeanDefinition(OAuth2AuthorizedClientManagerRegistrar.class));
}

Configuration Class Processing:
Later, the ConfigurationClassBeanDefinitionReader processes configuration classes and attempts to load the bean definition for org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2AuthorizedClientManagerRegistrar. However, it skips this bean definition because a bean with the same name (authorizedClientManagerRegistrar) already exists. The following debug message is logged:

DEBUG [main] (ConfigurationClassBeanDefinitionReader.java347) - Skipping bean definition for BeanMethod: org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2AuthorizedClientManagerConfiguration.authorizedClientManagerRegistrar(): a definition for bean 'authorizedClientManagerRegistrar' already exists. This top-level bean definition is considered as an override.

Dependency Resolution Failure:
The OAuth2ClientConfiguration.OAuth2ClientWebMvcSecurityConfiguration class requires org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2AuthorizedClientManagerRegistrar as a constructor dependency. Since the bean definition for this class was skipped, the Spring container fails to initialize, resulting in the following exception:

org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2ClientWebMvcSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 2: 
No qualifying bean of type 'org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2AuthorizedClientManagerRegistrar' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: feedback-provided Feedback has been provided
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jzheaux @spring-projects-issues @mantu-ms