I was following Client Credentials flow guide from Baeldung, one question that occurred to me was - what would happen if during the initial request, when no Token was cached, a second request was received in the application. Would Spring send a second request to authenticate?
I went as far as debugging my application and looked at ClientCredentialsOAuth2AuthorizedClientProvider implementation, but couldn't find any locking mechanism and I didn't know where to look from there.
Yes, it will. This is a typical race condition, and Spring Security does not have built-in preventive measures against it. If a second request arrives while no token is cached, Spring will send another authentication request.
Similar issues have been discussed before (e.g., #11461, #14123), and the Spring team’s stance is that handling this should be the application's responsibility.
If this causes issues for you, consider implementing a custom synchronization mechanism to prevent multiple simultaneous authentication requests. You can also provide feedback or explore potential solution in this open issue: #15145.