Closed saefty closed 7 months ago
I had the exactly same problem since I bump Spring Security from 6.1.5 to 6.2.0.
Thanks for the work around @saefty .
Thanks for reporting this, @saefty! Also thank you to @jheizmann who reported this through a separate channel.
This is fixed now and should go out in the next release. If you are able, please test with 6.2.2-SNAPSHOT
to confirm the fix.
The documentation is still out of date: https://docs.spring.io/spring-security/reference/reactive/oauth2/login/logout.html#_customizing_the_oidc_provider_session_strategy
How would one store this in Redis?
Describe the bug
Default configuration of
InMemoryOidcSessionRegistry
causes memory leak in cloud environments using external session storage systems such asorg.springframework.session:spring-session-data-redis
. Thisdefault
caused JVM OOMs in our production system for multiple days until we boiled it down using heap dumps from production containers.This was introduced with spring security 6.2 or might happen if you update from spring boot starter 3.1.6 to 3.2.x while using spring session with an external storage.
To Reproduce
Use Spring Security >= 6.2, Spring Data Session Redis or a spring boot starter app with version >= 3.2 Excerpt from the build.gradle
Expected behavior
This might be a communication issue in the documentation of the change logs. Setting the default to
InMemoryOidcSessionRegistry
is a breaking change for applications that are running in a cloud environment with non-sticky sessions.I would either recommend removing the default or clearly communicating this as a breaking change in the behavior of spring security. This change requires configuration changes to stay functional.
Related Documentation
OidcSessionStrategy
.SessionAuthenticationStrategy
which is doing something else.OidcSessionRegistry
is meant here.Our mitigation
We would mitigate this issue by providing a custom
OidcSessionRegistry
implementation that does not store the session information in memory. Spring Data Redis is already configured to store the session information in Redis. We also implemented a custom back-channel logout endpoint to remove the session information from the Redis store by wiping the http session. In this particular case, we would use theNoopSpringDataOidcSessionsStrategy
to avoid the memory leak until further support for external data storage is added.Sample
Creating a sample costs a lot of time and is not feasible for us at the moment. We are happy to provide a sample if it is required.
Related issues