Description
Expected Behavior
the current tutorial for spring concurrent session management says it works out of the box with OAuth:
https://docs.spring.io/spring-security/reference/6.3-SNAPSHOT/reactive/authentication/concurrent-sessions-control.html
but it seems to not be clear about what happens for logout, the code isn't proceeding with an RP-Initiated Logout / Back Channel logout, which seems that needs to be done manually somehow?
Current Behavior
when using the InvalidateLeastUsedServerMaximumSessionsExceededHandler, the logout on the application works properly, but when logging in back, the redirect to the IDP (Spring Authorization Server in my case) is still logged in (even though the IDP implements the same 1 session concurrency).
Context
How has this issue affected you?
isn't possible to logout from IDP, even when the IDP has already the concurrent session to 1, because the filter isn't applied on OAuth server matchers?
What are you trying to accomplish?
logout in both application & IDP
What other alternatives have you considered?
writing myself an OidcBackChannelLogoutWebFilter / ConcurrentSessionControlServerAuthenticationSuccessHandler
Are you aware of any workarounds?
not as of now