Update reactive OAuth2 docs

Issue gh-15938

Author: sjohnr

docs/modules/ROOT/pages/reactive/oauth2/client/authorization-grants.adoc

@@ -1,9 +1,10 @@
-[[oauth2Client-additional-features]]
-= Authorized Clients
+[[oauth2-client-additional-features]]
+= [[oauth2Client-additional-features]]Authorized Client Features
 
+This section covers additional features provided by Spring Security for OAuth2 Client.
 
-[[oauth2Client-registered-authorized-client]]
-== Resolving an Authorized Client
+[[oauth2-client-registered-authorized-client]]
+== [[oauth2Client-registered-authorized-client]]Resolving an Authorized Client
 
 The `@RegisteredOAuth2AuthorizedClient` annotation provides the capability of resolving a method parameter to an argument value of type `OAuth2AuthorizedClient`.
 This is a convenient alternative compared to accessing the `OAuth2AuthorizedClient` using the `ReactiveOAuth2AuthorizedClientManager` or `ReactiveOAuth2AuthorizedClientService`.
@@ -42,16 +43,15 @@ class OAuth2ClientController {
 ----
 ======
 
-The `@RegisteredOAuth2AuthorizedClient` annotation is handled by `OAuth2AuthorizedClientArgumentResolver`, which directly uses a <<oauth2Client-authorized-manager-provider, ReactiveOAuth2AuthorizedClientManager>> and therefore inherits it's capabilities.
+The `@RegisteredOAuth2AuthorizedClient` annotation is handled by `OAuth2AuthorizedClientArgumentResolver`, which directly uses a xref:reactive/oauth2/client/core.adoc#oauth2Client-authorized-manager-provider[ReactiveOAuth2AuthorizedClientManager] and therefore inherits it's capabilities.
 
-
-[[oauth2Client-webclient-webflux]]
-== WebClient integration for Reactive Environments
+[[oauth2-client-web-client]]
+== [[oauth2Client-webclient-webflux]]WebClient integration for Reactive Environments
 
 The OAuth 2.0 Client support integrates with `WebClient` using an `ExchangeFilterFunction`.
 
 The `ServerOAuth2AuthorizedClientExchangeFilterFunction` provides a simple mechanism for requesting protected resources by using an `OAuth2AuthorizedClient` and including the associated `OAuth2AccessToken` as a Bearer Token.
-It directly uses an <<oauth2Client-authorized-manager-provider, ReactiveOAuth2AuthorizedClientManager>> and therefore inherits the following capabilities:
+It directly uses an xref:reactive/oauth2/client/core.adoc#oauth2Client-authorized-manager-provider[ReactiveOAuth2AuthorizedClientManager] and therefore inherits the following capabilities:
 
 * An `OAuth2AccessToken` will be requested if the client has not yet been authorized.
 ** `authorization_code` - triggers the Authorization Request redirect to initiate the flow
@@ -91,6 +91,7 @@ fun webClient(authorizedClientManager: ReactiveOAuth2AuthorizedClientManager): W
 ----
 ======
 
+[[oauth2-client-web-client-authorized-client]]
 === Providing the Authorized Client
 
 The `ServerOAuth2AuthorizedClientExchangeFilterFunction` determines the client to use (for a request) by resolving the `OAuth2AuthorizedClient` from the `ClientRequest.attributes()` (request attributes).
@@ -184,7 +185,7 @@ fun index(): Mono<String> {
 ======
 <1> `clientRegistrationId()` is a `static` method in `ServerOAuth2AuthorizedClientExchangeFilterFunction`.
 
-
+[[oauth2-client-web-client-default-authorized-client]]
 === Defaulting the Authorized Client
 
 If neither `OAuth2AuthorizedClient` or `ClientRegistration.getRegistrationId()` is provided as a request attribute, the `ServerOAuth2AuthorizedClientExchangeFilterFunction` can determine the _default_ client to use depending on it's configuration.

docs/modules/ROOT/pages/reactive/oauth2/client/authorized-clients.adoc

@@ -1,9 +1,10 @@
-[[oauth2Client-client-auth-support]]
-= Client Authentication Support
+[[oauth2-client-authentication]]
+= [[oauth2Client-client-auth-support]]Client Authentication Support
 
-[[oauth2Client-client-credentials-auth]]
-== Client Credentials
+[[oauth2-client-authentication-client-credentials]]
+== [[oauth2Client-client-credentials-auth]]Client Credentials
 
+[[oauth2-client-authentication-client-credentials-client-secret-basic]]
 === Authenticate using `client_secret_basic`
 
 Client Authentication with HTTP Basic is supported out of the box and no customization is necessary to enable it.
@@ -55,6 +56,7 @@ tokenResponseClient.setHeadersConverter(headersConverter)
 ----
 ======
 
+[[oauth2-client-authentication-client-credentials-client-secret-post]]
 === Authenticate using `client_secret_post`
 
 Client Authentication with client credentials included in the request-body is supported out of the box and no customization is necessary to enable it.
@@ -76,8 +78,8 @@ spring:
             ...
 ----
 
-[[oauth2Client-jwt-bearer-auth]]
-== JWT Bearer
+[[oauth2-client-authentication-jwt-bearer]]
+== [[oauth2Client-jwt-bearer-auth]]JWT Bearer
 
 [NOTE]
 Please refer to JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants for further details on https://datatracker.ietf.org/doc/html/rfc7523#section-2.2[JWT Bearer] Client Authentication.
@@ -89,7 +91,7 @@ a signed JSON Web Token (JWS) in the `client_assertion` parameter.
 The `java.security.PrivateKey` or `javax.crypto.SecretKey` used for signing the JWS
 is supplied by the `com.nimbusds.jose.jwk.JWK` resolver associated with `NimbusJwtClientAuthenticationParametersConverter`.
 
-
+[[oauth2-client-authentication-jwt-bearer-private-key-jwt]]
 === Authenticate using `private_key_jwt`
 
 Given the following Spring Boot properties for an OAuth 2.0 Client registration:
@@ -160,7 +162,7 @@ tokenResponseClient.addParametersConverter(
 ----
 ======
 
-
+[[oauth2-client-authentication-jwt-bearer-client-secret-jwt]]
 === Authenticate using `client_secret_jwt`
 
 Given the following Spring Boot properties for an OAuth 2.0 Client registration:
@@ -230,6 +232,7 @@ tokenResponseClient.addParametersConverter(
 ----
 ======
 
+[[oauth2-client-authentication-jwt-bearer-assertion]]
 === Customizing the JWT assertion
 
 The JWT produced by `NimbusJwtClientAuthenticationParametersConverter` contains the `iss`, `sub`, `aud`, `jti`, `iat` and `exp` claims by default. You can customize the headers and/or claims by providing a `Consumer<NimbusJwtClientAuthenticationParametersConverter.JwtClientAuthenticationContext<T>>` to `setJwtClientAssertionCustomizer()`. The following example shows how to customize claims of the JWT:
@@ -265,8 +268,8 @@ converter.setJwtClientAssertionCustomizer { context ->
 ----
 ======
 
-[[oauth2Client-public-auth]]
-== Public Authentication
+[[oauth2-client-authentication-public]]
+== [[oauth2Client-public-auth]]Public Authentication
 
 Public Client Authentication is supported out of the box and no customization is necessary to enable it.
 

docs/modules/ROOT/pages/reactive/oauth2/client/client-authentication.adoc

@@ -7,18 +7,18 @@ The OAuth 2.0 Client features provide support for the Client role as defined in
 At a high-level, the core features available are:
 
 .Authorization Grant support
-* https://tools.ietf.org/html/rfc6749#section-1.3.1[Authorization Code]
-* https://tools.ietf.org/html/rfc6749#section-6[Refresh Token]
-* https://tools.ietf.org/html/rfc6749#section-1.3.4[Client Credentials]
-* https://tools.ietf.org/html/rfc6749#section-1.3.3[Resource Owner Password Credentials]
-* https://datatracker.ietf.org/doc/html/rfc7523#section-2.1[JWT Bearer]
-* https://datatracker.ietf.org/doc/html/rfc8693#section-2.1[Token Exchange]
+* xref:reactive/oauth2/client/authorization-grants.adoc#oauth2-client-authorization-code[Authorization Code]
+* xref:reactive/oauth2/client/authorization-grants.adoc#oauth2-client-refresh-token[Refresh Token]
+* xref:reactive/oauth2/client/authorization-grants.adoc#oauth2-client-client-credentials[Client Credentials]
+* xref:reactive/oauth2/client/authorization-grants.adoc#oauth2-client-password[Resource Owner Password Credentials]
+* xref:reactive/oauth2/client/authorization-grants.adoc#oauth2-client-jwt-bearer[JWT Bearer]
+* xref:reactive/oauth2/client/authorization-grants.adoc#oauth2-client-token-exchange[Token Exchange]
 
 .Client Authentication support
-* https://datatracker.ietf.org/doc/html/rfc7523#section-2.2[JWT Bearer]
+* xref:reactive/oauth2/client/client-authentication.adoc#oauth2-client-authentication-jwt-bearer[JWT Bearer]
 
 .HTTP Client support
-* xref:reactive/oauth2/client/authorized-clients.adoc#oauth2Client-webclient-webflux[`WebClient` integration for Reactive Environments] (for requesting protected resources)
+* xref:reactive/oauth2/client/authorized-clients.adoc#oauth2-client-web-client[`WebClient` integration for Reactive Environments] (for requesting protected resources)
 
 The `ServerHttpSecurity.oauth2Client()` DSL provides a number of configuration options for customizing the core components used by OAuth 2.0 Client.
 

docs/modules/ROOT/pages/reactive/oauth2/client/index.adoc

@@ -166,7 +166,7 @@ class SecurityConfig {
 [[oauth2-resource-server-access-token-opaque]]
 ==== Opaque Token Support
 
-The following example configures an `OpaqueTokenIntrospector` bean using Spring Boot configuration properties:
+The following example configures an `ReactiveOpaqueTokenIntrospector` bean using Spring Boot configuration properties:
 
 [source,yaml]
 ----
@@ -1608,7 +1608,7 @@ class SecurityConfig {
 [[further-reading]]
 == Further Reading
 
-This preceding sections introduced Spring Security's support for OAuth2 with examples for common scenarios.
+The preceding sections introduced Spring Security's support for OAuth2 with examples for common scenarios.
 You can read more about OAuth2 Client and Resource Server in the following sections of the reference documentation:
 
 * xref:reactive/oauth2/login/index.adoc[]