OAuth2 is useful in messaging and non-servlet, non-webflux apps. A lot of the machinery is not dependent on the web APIs, so it could be exposed as autoconfiguration even when the application context type was not MVC or webflux. E.g. everything in OAuth2ResourceServerAutoConfiguration and the private classes it imports is useful for receiving and authenticating a token, except for the 2 @Bean definitions that create SecurityFilterChain (which is servlet-specific). The same pattern occurs in OAuth2ClientAutoConfiguration but there are fewer beans there - only really one that would be useful outside a webapp (the ClientRegistrationRepository).
Interestingly, I found that as soon as I start adding config properties to spring.security.oauth2.client.registration.* I get a ReactiveClientRegistrationRepository, but not a vanilla blocking ClientRegistrationRepository. It was added for me because Flux was on the classpath, even though I didn't want or need it. That's probably a bug.
Comment From: philwebb
See #40997 for a similar ask just on the client side.