Support for OpenID Connect Session Management session_state parameter #14812
Comments
benba
added
status: waiting-for-triage
jzheaux
added
in: oauth2
|
@benba, thank you for the suggestion! Correct me if I'm wrong, but I don't believe that the session state change notification detailed in the spec is well supported (e.g. works in most modern browsers, see note). Given that, I'm wondering if this would be used by many users. At the moment, I am not convinced it would be very useful and seems fairly easy to add on separately as you have done.
Convenience is nice, but isn't usually my primary goal. I also don't see a good place to capture this parameter right now. I don't feel that the authentication |
|
@benba thanks for your patience. We have discussed this issue and currently we don't see strong evidence that this feature is needed given the reasons mentioned in my earlier comment. Spring Security does not have general support for OpenID Connect Session Management, and there are a few other related issues (such as gh-6814 and gh-6815) which don't seem to have many upvotes (gh-6815 has a few but is very easy to support through customization). I will leave this issue open for now to see if we get any upvotes and we can go from there. We may also consider consolidating these related issues into a general issue for supporting OpenID Connect Session Management but I won't do that just yet. |
It would be great if the retrieval of the
session_staterequest paramter used in OpenID Connect Session Management could be added toOidcAuthorizationCodeAuthenticationProvider.authenticate()method so that the value is added to theAbstractAuthenticationToken.details.As of today I didn't find any convenient way to retrieve this parameter, except adding a custom
AuthenticationSuccessHandlerthat retrieve this parameter to save it in session during the authentication phase.The text was updated successfully, but these errors were encountered: