Initialize RefreshOidcUserReactiveOAuth2AuthorizationSuccessHandler when jose is on classpath

jgrandja · jgrandja · commit 8c0d2cccf1d9 · 2026-03-09T17:03:49.000-04:00
Issue gh-17246
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java
@@ -278,7 +278,7 @@ public RefreshTokenGrantBuilder accessTokenResponseClient(
 
 		/**
 		 * Sets a {@link ReactiveOAuth2AuthorizationSuccessHandler} to use for handling
-		 * successful refresh token response, defaults to
+		 * successful refresh token response, see
 		 * {@link RefreshOidcUserReactiveOAuth2AuthorizationSuccessHandler}.
 		 * @param authorizationSuccessHandler the
 		 * {@link ReactiveOAuth2AuthorizationSuccessHandler} to use
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/RefreshTokenReactiveOAuth2AuthorizedClientProvider.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/RefreshTokenReactiveOAuth2AuthorizedClientProvider.java
@@ -36,6 +36,7 @@
 import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
 import org.springframework.security.oauth2.core.OAuth2Token;
 import org.springframework.util.Assert;
+import org.springframework.util.ClassUtils;
 
 /**
  * An implementation of a {@link ReactiveOAuth2AuthorizedClientProvider} for the
@@ -50,14 +51,25 @@
 public final class RefreshTokenReactiveOAuth2AuthorizedClientProvider
 		implements ReactiveOAuth2AuthorizedClientProvider {
 
+	private static final boolean josePresent = ClassUtils.isPresent(
+			"org.springframework.security.oauth2.jwt.ReactiveJwtDecoder",
+			RefreshTokenReactiveOAuth2AuthorizedClientProvider.class.getClassLoader());
+
 	private ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> accessTokenResponseClient = new WebClientReactiveRefreshTokenTokenResponseClient();
 
-	private ReactiveOAuth2AuthorizationSuccessHandler authorizationSuccessHandler = new RefreshOidcUserReactiveOAuth2AuthorizationSuccessHandler();
+	private ReactiveOAuth2AuthorizationSuccessHandler authorizationSuccessHandler = (authorizedClient, principal,
+			attributes) -> Mono.empty();
 
 	private Duration clockSkew = Duration.ofSeconds(60);
 
 	private Clock clock = Clock.systemUTC();
 
+	public RefreshTokenReactiveOAuth2AuthorizedClientProvider() {
+		if (josePresent) {
+			this.authorizationSuccessHandler = new RefreshOidcUserReactiveOAuth2AuthorizationSuccessHandler();
+		}
+	}
+
 	/**
 	 * Attempt to re-authorize the
 	 * {@link OAuth2AuthorizationContext#getClientRegistration() client} in the provided
@@ -128,8 +140,9 @@ public void setAccessTokenResponseClient(
 
 	/**
 	 * Sets a {@link ReactiveOAuth2AuthorizationSuccessHandler} to use for handling
-	 * successful refresh token response, defaults to
-	 * {@link RefreshOidcUserReactiveOAuth2AuthorizationSuccessHandler}.
+	 * successful refresh token response. Defaults to
+	 * {@link RefreshOidcUserReactiveOAuth2AuthorizationSuccessHandler}, when
+	 * {@code spring-security-oauth2-jose} is available on the classpath.
 	 * @param authorizationSuccessHandler the
 	 * {@link ReactiveOAuth2AuthorizationSuccessHandler} to use
 	 * @since 7.1
