Spring Security 6 OAuth2 and WebClient

My application needs to connect to a third party provider which requires OAuth2 authentication. I use Spring Security 6 (with Spring Boot 3.2) and I am trying to configure a WebClient to use OAuth2.

Based on my reading, I added this config in my application.yml:

spring   security:    oauth2:      client:        registration:          oauth-client:            provider: oauth-server            client-id: abcdefgh            client-secret: secret            authorization-grant-type: authorization_code        provider:          oauth-server:            issuer-uri: https://oauth-third-party.com/apigw            authorization-uri: https://oauth-third-party.com/apigw/oauth/auth            token-uri: https://oauth-third-party.com/apigw/oauth/token

Spring Boot then kindly creates some OAuth Spring beans which I can use to configure my WebClient:

@Configurationpublic class SecurityConfig {    @Bean    public OAuth2AuthorizedClientManager authorizedClientManager(            ClientRegistrationRepository clientRegistrationRepository,            OAuth2AuthorizedClientRepository authorizedClientRepository) {        OAuth2AuthorizedClientProvider authorizedClientProvider =                OAuth2AuthorizedClientProviderBuilder.builder()                        .clientCredentials()                        .build();        DefaultOAuth2AuthorizedClientManager authorizedClientManager =                new DefaultOAuth2AuthorizedClientManager(                        clientRegistrationRepository, authorizedClientRepository);        authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);        return authorizedClientManager;    }    @Bean    public WebClient oAuthWebClient(OAuth2AuthorizedClientManager authorizedClientManager) {        ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =                new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);        oauth2Client.setDefaultClientRegistrationId("oauth2-client");        return WebClient.builder()                .apply(oauth2Client.oauth2Configuration())                .build();    }}

Then the call with the webClient

Flux<ReportingProcessEvent> result = oauthWebClient.get()    .uri("https://oauth-third-party/regis-tr/file-processing/v1/records?filter[date]=2024-01-30")            .retrieve()            .bodyToFlux(ReportingProcessEvent.class);

I get a 403 error and this is the console messages I get:

2024-01-30 17:10:07 [...] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - [AnonymousAuthenticationFilter.java:119] - Set SecurityContextHolder to anonymous SecurityContext2024-01-30 17:10:07 [...] DEBUG o.s.s.w.s.HttpSessionRequestCache - [HttpSessionRequestCache.java:80] - Saved request https://localhost:5000/oauth?continue to session2024-01-30 17:10:07 [...] DEBUG o.s.s.w.a.DelegatingAuthenticationEntryPoint - [DelegatingAuthenticationEntryPoint.java:79] - Trying to match using And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], Not [And [Or [Ant [pattern='/login'], Ant [pattern='/favicon.ico']], And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@7da07d8c, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]]], org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer$$Lambda/0x000001c881d138d8@283e8284]2024-01-30 17:10:07 [...] DEBUG o.s.s.w.a.DelegatingAuthenticationEntryPoint - [DelegatingAuthenticationEntryPoint.java:82] - Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@44913b902024-01-30 17:10:07 [...] DEBUG o.s.s.web.DefaultRedirectStrategy - [DefaultRedirectStrategy.java:61] - Redirecting to https://localhost:5000/oauth2/authorization/oauth-client2024-01-30 17:10:07 [...] DEBUG o.s.security.web.FilterChainProxy - [FilterChainProxy.java:223] - Securing GET /oauth2/authorization/oauth-client2024-01-30 17:10:07 [...] DEBUG o.s.s.web.DefaultRedirectStrategy - [DefaultRedirectStrategy.java:61] - Redirecting to https://oauth-third-party/apigw/oauth/auth?response_type=code&client_id=abcdefgh&scope=read%20write&state=3P_MMc-yQdU%3D&redirect_uri=https://localhost:5000/login/oauth2/code/oauth-client

I discovered that the controllers are not even reached, I am directly redirected to the OAuth provider, which is not what I want. It is only when I call my third party url which OAuth should kick in, but what did I miss?