Hi,

We are using OAuth2 with backchannel logout and would like to use spring-session. To support this, we would need a persistent implementation of the OidcSessionRegistry.

Expected Behavior

The OidcBackChannelLogoutHandler should be able to map SIDs to the actual sessions even after a restart of the application.

Current Behavior

The OidcBackChannelLogoutHandler uses an in-memory-implementation of the registry to map the SIDs from the indentity provider to the actual sessions so that it can perform the logout. This works fine, but breaks as soons as one restarts the application.

Context

Only solution so far is to implement a manual mapping between the SID and, for example, the principal name so that the entries can be removed manually from the JdbcIndexedSessionRepository.

Thanks for the report, @nils-christian.

I'll have to check with @jzheaux how it should look like on Spring Session's side.

As a first measure, have you implemented your own OidcSessionRegistry and passed it to the DSL? What does it look like? If so, it should allow you to proceed while there is no built-in implementation.

Closing in favor of spring-projects/spring-security#14511

The OidcSessionRegistry may sound similar to Spring Session implementations, but its job is different. Instead of managing client sessions like Spring Session does, its purpose is to link provider sessions with client sessions. Therefore, it doesn't fit into Spring Session, and implementations of that interface will be provided in Spring Security.