SID missing in ID Token using spring authorization server

Question

I followed the spring authorization server sample but for some reason SID claim is missing in ID Token. SID claim is required for logout, I wonder how can I add it in ID Token to logout successfully.

I have three ways where user can login one using his username and password, second superadmin who can login as anyone and third using Azure AD. SID is present in Superadmin and Azure AD login but missing when user logs-in with username and password.

I am using spring authorization server 1.1.2.

Answer 1

Apparently OAuth2AuthorizationService performs a serialization/deserialization of the principal as part of saving tokens and it causes a loss of session data stored in SessionRegistryImpl because session store uses objects as keys and the constructed object is different after the deserialization. The issue I've had is that I had a custom UserDetails implementation and the SessionRegistryImpl class was unable to figure out if 2 distinct UserDetails objects were in fact equal. There are 2 ways to deal with this problem:

1) [RECOMMENDED] Define hashcode/equals in your custom UserDetails class

Add a logic for comparing 2 objects. You can compare based on username or any other set of fields.

@JsonSerialize
@JsonDeserialize
public class CustomUserDetails implements UserDetails {

    @Override
    public boolean equals(Object o) {
        // Implementation here
    }

    @Override
    public int hashCode() {
        // Implementation here
    }
}

2) Write a custom SessionRegistry interface implementation

Harder to implement and thus not recommended approach but it's possible to build a custom SessionRegistry implementation similar to SessionRegistryImpl that will store/compare objects correctly

Answer 2

i have the same behaviour as @user7090887

With InMemory Repository: With JDBC Repository:

With InMemory i have the sid and with JDCBC its missing. And when i try to logout i get an exception. I forked the github repo from @user7090887 and created a working version. I can push it when it helps.

#### Open in Browser
http://localhost:9009/oauth2/authorize?
    response_type=code
    &client_id=messaging-client
    &scope=openid
    &redirect_uri=http://localhost:8080
    &code_challenge=t3RzPLjc8NiO_mpmIuTJYi2P6Ps8y9jP6cphOhSNozw
    &code_challenge_method=S256

##### Get JWT Token
POST http://localhost:9009/oauth2/token?client_id=messaging-client
    &redirect_uri=http://localhost:8080
    &grant_type=authorization_code
    &scope=openid
    &code=y2VsiK-mdjsZQ9gr_qHJGV0uZKxfvyVzXXbq7D0x0tAE4QgYJoQXFRHTyjOF5tR9jgFB8zXn_Yj-icyGy9EIhFa6wVy6Hg9LZcSsSYTHc9PccI7PGitdNaZIWfvRpTex
    &code_verifier=mlZDBO_BNru6SRVHWhhAMJIsVCAdVZAL8VRTpy8hXBzcOJ92gKHtXPI3Agb0FF-l5NtYIbAcrl7bsHqSVJNDVWa0sjSoe0RvdwNy4Yz6StaQ-vd7uU0IRg-1tshE19PA

> {%
    client.global.set("AUTH_TOKEN",response.body.access_token);
    client.global.set("ID_TOKEN",response.body.id_token);
%}

        RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
                .clientId("messaging-client")
                .clientSecret("secret")
                .clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                .redirectUri("http://localhost:8080")
                .postLogoutRedirectUri("http://localhost:8080")
                .scope(OidcScopes.OPENID)
                .clientSettings(ClientSettings.builder().requireProofKey(true).requireAuthorizationConsent(false).build())
                .build();

        RegisteredClient deviceClient = RegisteredClient.withId(UUID.randomUUID().toString())
                .clientId("device-messaging-client")
                .clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
                .authorizationGrantType(AuthorizationGrantType.DEVICE_CODE)
                .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
                .scope("message.read")
                .scope("message.write")
                .build();