Spring Security - how to delete sessions from Redis, and do Auth0 logout, when BFF session naturally expires

Question

My Spring BFF sort of almost works.

The issue I am encountering relates to the fact that while Spring Session / Security is saving my session data to Redis and applying a TTL (Time-To-Live) to the main session keys, the associated indexed keys (such as attributes indexed for lookups) are not automatically being set with a TTL. This means that these indexed keys can persist indefinitely unless manually deleted (e.g., through an explicit logout), leading to a potential memory leak.

Explicit Logout

When I explicity logout, the following function gets called, and so the session is deleted from (i) namespace > sessions, (ii) namespace > sessions > expires, (iii) namespace > sessions > session id > idx, (iv) and namespace > sessions > expiration (sorted set)

https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/handlers/SessionServerLogoutHandler.kt#L40

Which calls this and this:

https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/handlers/SessionServerLogoutHandler.kt#L40

https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/sessions/SessionControl.kt#L53

Which calls this and this:

https://github.com/spring-projects/spring-session/blob/main/spring-session-core/src/main/java/org/springframework/session/web/server/session/SpringSessionWebSessionStore.java#L162

https://github.com/spring-projects/spring-session/blob/main/spring-session-core/src/main/java/org/springframework/session/web/server/session/SpringSessionWebSessionStore.java#L100

Which both ultimately call this:

https://github.com/spring-projects/spring-session/blob/main/spring-session-data-redis/src/main/java/org/springframework/session/data/redis/ReactiveRedisIndexedSessionRepository.java#L387

The 4 delete methods in here get called

https://github.com/spring-projects/spring-session/blob/main/spring-session-data-redis/src/main/java/org/springframework/session/data/redis/ReactiveRedisIndexedSessionRepository.java#L391

The following also gets called to do an RP Initiated Logout (to end the session that exists with the Auth0 Authorization server too)

• the delete BFF session, delete 2 cookies here:

https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/handlers/SessionServerLogoutHandler.kt

• the logout from the auth server here (RP Initiated Logout):

https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/handlers/oauth2/OAuth2ServerLogoutSuccessHandler.kt

Natural BFF session expiration

But how do I do the above, when the BFF session reaches its natural expiration time. When this happens Redis still leaves the following

Also the Auth0 session is never logged out from (so if the person logs in again via the Spring BFF, and the Auth0 session is still valid, then it will silently login without showing the Auth0 login page)