Reactive Security OAuth2 client doesn't propagate traces and baggage's in Spring Boot 3

[DaceKonn]

Describe the bug
The current version of Reactive OAuth Security doesn't follow all Observability documentation recommendations, therefore it doesn't propagate trace and baggage's over network. See: Docs Spring.io - 8.4. Propagating Traces

Class example:
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AbstractWebClientReactiveOAuth2AccessTokenResponseClient.java

Where WebClient.Builder() is used statically - therefore it has NOOP ObservationRegistry and doesn't register Request Observations, and doesn't allow propagating traces (for example B3 Brave Zipkin Baggage's propagation).

To Reproduce
Creating Reactive OAuth client and trying to send traces and baggage's to authentication server.

Expected behavior
OAuth calls from client to server in Reactive Security and Spring Boot 3 start proper request observations and propagate baggage's.

[sjohnr]

Thanks for the report @DaceKonn! I'm not sure I agree with classifying this as a bug, and instead feel this might make a good enhancement request. I don't find anywhere in the docs that we state the OAuth2 Client features support downstream propagation. Do you find anything like that?

Note that you will easily be able to configure a custom WebClient for any OAuth2 Client component in 6.3 (soon to be released) by following Customize the WebClient used by OAuth2 Client Components in the reference (this link currently points to RC1 docs). That section of the docs also includes a more verbose example that works prior to 6.3.