Spring Security Reactive doesn't store scopedTarget.oauth2ClientContext into Redis

[zhaojunjie163]

Hello Teams,
I'm using spring security oauth2 for single sign-on, and would like to use spring session to store oAuth2 information into Redis. so that we can scale horizontally. After debugging, I found spring security will not store scopedTarget.oauth2ClientContext into Redis by default, hence new instance will not able to get oAuth client information.

I found a similar issue on StackOverflow. but it's an old version. I'm currently using spring-security 5.2 and spring session 2.2. May I know can I achieve the same purpose in spring-security 5.2 in a reactive way(WebFlux)?

How to reproduce

A sample repo here: https://github.com/zhaojunjie163/sample.git
1.) Install Redis
2.) After authentication, if restart the application, then need to re-login, as scopedTarget.oauth2ClientContext not persist in Redis.

Configuration POM.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<parent>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-parent</artifactId>
		<version>2.2.0.RELEASE</version>
		<relativePath/> <!-- lookup parent from repository -->
	</parent>
	<groupId>com.example</groupId>
	<artifactId>demo</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<name>demo</name>
	<description>Demo project for Spring Boot</description>

	<properties>
		<java.version>1.8</java.version>
		<spring-cloud.version>Greenwich.SR3</spring-cloud.version>
	</properties>

	<dependencies>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-webflux</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-actuator</artifactId>
		</dependency>
<!--Spring Session-->
		<dependency>
			<groupId>org.springframework.session</groupId>
			<artifactId>spring-session-data-redis</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-data-redis</artifactId>
		</dependency>

<!--Spring Security oAuth2-->
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-security</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-oauth2-client</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-oauth2-jose</artifactId>
		</dependency>

<!--Others-->
		<dependency>
			<groupId>io.projectreactor</groupId>
			<artifactId>reactor-core</artifactId>
		</dependency>

		<dependency>
			<groupId>ch.qos.logback</groupId>
			<artifactId>logback-classic</artifactId>
		</dependency>

		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-test</artifactId>
			<scope>test</scope>
			<exclusions>
				<exclusion>
					<groupId>org.junit.vintage</groupId>
					<artifactId>junit-vintage-engine</artifactId>
				</exclusion>
			</exclusions>
		</dependency>
		<dependency>
			<groupId>io.projectreactor</groupId>
			<artifactId>reactor-test</artifactId>
			<scope>test</scope>
		</dependency>
	</dependencies>
	<build>
		<plugins>
			<plugin>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-maven-plugin</artifactId>
			</plugin>
		</plugins>
	</build>

</project>

[foo4u]

This is a major problem and no one must be using this in production with just Spring Security provided code. The problem is InMemoryReactiveOAuth2AuthorizedClientService is the only provided ReactiveOAuth2AuthorizedClientService.

I'm going to write one for Redis since this is blocking us as well.

[jgrandja]

@zhaojunjie163

I found spring security will not store scopedTarget.oauth2ClientContext

It seems you are referring to Spring Security OAuth , as scopedTarget.oauth2ClientContext exists in that project NOT Spring Security.

I'm going to close this since it's not an issue in Spring Security's 5.x OAuth support.

FYI, please see #7889

[jgrandja]

@foo4u Please see #7889

Instead of configuring InMemoryReactiveOAuth2AuthorizedClientService use WebSessionServerOAuth2AuthorizedClientRepository along with Spring Session backed by Redis. That should work for your setup.

[foo4u]

@jgrandja thanks for the info. That worked well.