Oauth2 maximumSessions did not work

[DucNguyenVan]

Describe the bug
I am implementing OAuth2 to connect with a custom provider (not Google or GitHub). I need implement a custom callback handler in a controller for handling the OAuth2 login flow in Spring Security. Everything worked well, and the user was logged in successfully.

Now I need to implement a mechanism that logs out the current user session when the same user logs in from another device.
I tried to set maximumSessions(1) in the sessionManagement section, but it did not work.

I also tried to implement a custom success handler successHandler, but the success handler was not triggered (it seems like because I implemented a custom callback handler, it did not trigger the success handler event).

To Reproduce
Steps to reproduce the behavior.

            .oauth2Login(oauth2Login ->
                oauth2Login
                    .successHandler(customOAuth2AuthenticationSuccessHandler())
            )
            .sessionManagement(session -> session
                .maximumSessions(1)
                .maxSessionsPreventsLogin(false)  // This will not prevent new logins, but will expire previous sessions
            )

Expected behavior
log out the current user session when the same user logs in from another device

Sample

    @GetMapping("/oauth2/callback")
    public void handleOAuth2Callback(@RequestParam("code") String code, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
        // Capture the authorization code
        OAuth2AuthorizationRequest authorizationRequest = createAuthorizationRequest(code);

        // Exchange the authorization code for an access token
        OAuth2AccessToken accessToken = fetchAccessToken(authorizationRequest);

        // Fetch user details
        OAuth2User oAuth2User = fetchUserDetails(accessToken);

        // Remove existing sessions if the user is already logged in
        removeExistingUserSessions(oAuth2User.getName());

        // Create and authenticate the user
        Authentication authentication = createAuthentication(oAuth2User);
        SecurityContextHolder.getContext().setAuthentication(authentication);

        // Redirect to the target URL
        response.sendRedirect("/custom-target-url");
    }

[sjohnr]

Hi @DucNguyenVan, thanks for getting in touch, but it seems possible that your issue is related to your custom callback handler and is not a bug in the framework. It feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.

Having said that, the sample you have provided is not complete so I'm unsure where the issue lies. Please provide the following:

I am implementing OAuth2 to connect with a custom provider (not Google or GitHub).

Can you please explain what is meant by "custom provider"? Do you mean that it does not implement the OAuth 2.0 or OpenID Connect 1.0 specs?

I need implement a custom callback handler in a controller for handling the OAuth2 login flow in Spring Security.

It is not clear why you need to do this, and possibly part of the issue. If the provider implements the spec(s) correctly, this should not be necessary. Can you please explain why this is necessary?

I also tried to implement a custom success handler successHandler, but the success handler was not triggered (it seems like because I implemented a custom callback handler, it did not trigger the success handler event).

You appear to be duplicating some of the functionality provided by the OAuth2LoginAuthenticationFilter but you are not calling the success handler in your own code, which may be why you are facing this issue.

If you believe you've found a bug, please remove your custom callback in favor of using the built-in redirection endpoint documented here and here and provide a complete, minimal sample.

I will leave this issue open for now but will close it if you are unable to provide an update.

Related gh-15071

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[spring-projects-issues]

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.