Skip to content

GH-2333 Document clustered OIDC sessions #2352

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
goutamadwant wants to merge 1 commit into
base: main
Choose a base branch
from
+20 −0
Open

GH-2333 Document clustered OIDC sessions #2352

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions docs/modules/ROOT/pages/core-model-components.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -532,3 +532,18 @@ public HttpSessionEventPublisher httpSessionEventPublisher() {
return new HttpSessionEventPublisher();
}
----

In a clustered environment, the `SessionRegistry` must also be shared across application instances.
For example, when using https://docs.spring.io/spring-session/reference/index.html[Spring Session] to back HTTP sessions, register a `SpringSessionBackedSessionRegistry` instead of `SessionRegistryImpl`:

[source,java]
----
@Bean
public SessionRegistry sessionRegistry(
FindByIndexNameSessionRepository<? extends Session> sessionRepository) {
return new SpringSessionBackedSessionRegistry<>(sessionRepository);
}
----

When backing Spring Session with Redis, make sure an indexed session repository is configured, for example with `@EnableRedisIndexedHttpSession`, so that a `FindByIndexNameSessionRepository` is available.
This allows the OpenID Connect 1.0 Logout Endpoint to validate the `sid` claim even when the logout request is handled by a different application instance than the original login request.
5 changes: 5 additions & 0 deletions docs/modules/ROOT/pages/guides/how-to-redis.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -223,3 +223,8 @@ include::{examples-dir}/main/java/sample/redis/config/RedisConfig.java[]
<4> Register the `RedisRegisteredClientRepository` with the activated `OAuth2RegisteredClientRepository`.
<5> Register the `RedisOAuth2AuthorizationService` with the activated `OAuth2AuthorizationGrantAuthorizationRepository`.
<6> Register the `RedisOAuth2AuthorizationConsentService` with the activated `OAuth2UserConsentRepository`.

[NOTE]
This guide configures Redis-backed implementations for the core services that store authorization server data.
If OpenID Connect 1.0 is enabled and the authorization server runs in a cluster, HTTP sessions must also be shared across application instances.
For Redis-backed HTTP sessions, configure Spring Session with an indexed session repository and register a `SpringSessionBackedSessionRegistry` as described in xref:core-model-components.adoc#session-registry[SessionRegistry].