Invalid Session not cleaning up Auth Object in Spring Security

[vekdeq]

Hi Team,

I have multiple Spring boot application hosted on Tomcat, where I am locking the user (under certain application specific business logic) using suspend call. As part of this, I want to clear current user session in spring security (Authentication Object) - which is not happening even after calling endAllSessions method. Below is the source code for the review.

public boolean lockUserAccount (){ User user = oktaClient.getUser(SecurityContextHolder.getContext().getAuthentication().getName()); user.endAllSessions(true); user.suspend(); return true ; }

[bdemers]

Hey @vekdeq!

It depends on how your other apps are configured. My guess is you have your apps configured to use a Spring Security Session (default), and those apps are NOT checking back with the IdP on each request. This is typically how other applications work too, for example, JIRA is typically set up this way.

Typically in this type of scenario, you need to weigh the performance benefit vs security risk. Maybe you don't want to incur the cost of making remote calls to an IdP on each request, maybe just reduce the token time the tokens are active, https://developer.okta.com/docs/reference/api/oidc/#limits

NOTE: Spring Security 2.1 (OAuth) only supports local token validation. Opaque token support will be available in 2.2 (which will be out soon). If you are are not using bearer tokens this likely doesn't matter to you.

[vekdeq]

Hi Brain,

Thanks for your reply !! Unfortunately, it looks like - we will have to make the IDP call in every hit - if that is the case - as from End User Perspective it's one portal and we have designed it by breaking into multiple applications as per the logical functional break-downs. So how to do it ? Is there any configuration to enable it or do I need to do it through websecurity config .

[vekdeq]

Further, user.endAllSessions(true); is not clearing authentication object in current application too. Even though I could see the user is suspended - I can continue to navigate the current application. Only if I start a new browser session, it forces me to login page again. We have raised the support case - Case # 00643936 for your reference. I was under impression that it actually acts as SSO agent on my app to take care of making sure that user has a valid token for each hit. And that's the kind of need we have - both functionally and technically - as we have split user experience into multiple applications. Once, again - thanks for your help & guidance !!

Vivek

[vekdeq]

One more update : We are able to navigate across the applications seamless once we enter id / pwd at any of the entry points. So app is able to create authentication object (I guess by checking since auth object is NULL - hit IDP - in our case OKTA) for a request seamlessly without forcing user to enter credentials again. So it is SSO - to some extend - but not in case where I logs out and auth session is expired.

[bdemers]

Hey @vekdeq, Let's close this issue (as this isn't related to the SDK) and we can follow up with advice on your support ticket.