spring-securityspring-authorization-server

How to implement session management in spring authorization server


I have a federated spring authorisation server which uses social login. To restrict the number user login sessions, enabled the spring security session management but it didn’t worked out for me. I would like to implement following:

  1. When user logout, terminate the user session and ask him to login through social login again.

  2. If user already logged in, trying to login from another device or browser, we should terminate the old session (spring security session management had this)

Issue is even though I’m enabled the session management, it is still allowing multiple login sessions across devices/browsers.


Solution

  • The issue you're finding is on the client application where you configure concurrent session control for oauth2Login(). Maximum sessions is enforced correctly on the authorization server, which only uses formLogin().

    First, your client sample is missing a HttpSessionEventPublisher bean, as suggested in the docs.

    Second, your client sample is not configured to use Spring Session for backing the session store. Because of this, it is using an in-memory SessionRegistry implementation, which is the default. This in-memory implementation is simple in nature, and maps the sessions by the principal. It therefore considers two users who log in with OAuth2 to be different, because it simply uses the equals() and hashCode() methods of the principal (an instance of DefaultOidcUser). These methods do not consider the same user from different logins to be equal, because they have different values in the token response from the authorization server.

    In order for this sample to work correctly with concurrent session controls, you will need to add and configure spring-session as the backing store for your sessions on the client application, which is quite easy to do. See a list of samples and guides to get started.

    It might also be worth reporting this as a bug in spring-security, since the in-memory (default) implementation of SessionRegistry is not compatible with DefaultOidcUser and DefaultOAuth2User as the principal. However, it shouldn't be an issue in production as you should not rely on in-memory implementations for production deployments. You would normally configure Spring Session for your application at a minimum.