Persistent Implementation of the OidcSessionRegistry
nils-christian opened this issue · comments
Hi,
We are using OAuth2 with backchannel logout and would like to use spring-session. To support this, we would need a persistent implementation of the OidcSessionRegistry.
Expected Behavior
The OidcBackChannelLogoutHandler should be able to map SIDs to the actual sessions even after a restart of the application.
Current Behavior
The OidcBackChannelLogoutHandler uses an in-memory-implementation of the registry to map the SIDs from the indentity provider to the actual sessions so that it can perform the logout. This works fine, but breaks as soons as one restarts the application.
Context
Only solution so far is to implement a manual mapping between the SID and, for example, the principal name so that the entries can be removed manually from the JdbcIndexedSessionRepository.
Thanks for the report, @nils-christian.
I'll have to check with @jzheaux how it should look like on Spring Session's side.
As a first measure, have you implemented your own OidcSessionRegistry
and passed it to the DSL? What does it look like? If so, it should allow you to proceed while there is no built-in implementation.
Closing in favor of spring-projects/spring-security#14511
The OidcSessionRegistry
may sound similar to Spring Session implementations, but its job is different. Instead of managing client sessions like Spring Session does, its purpose is to link provider sessions with client sessions. Therefore, it doesn't fit into Spring Session, and implementations of that interface will be provided in Spring Security.