OAuth2AuthorizationEndpointFilter still get SecurityContext from HttpSessionSecurityContextRepository with expired session(actually expired by SessionInformation) when Configuring Concurrent Session Control

[Been24]

Expected Behavior
when Configure Concurrent Session Control in OAuth2AuthorizationServerSecurityFilterChain,OAuth2AuthorizationEndpointFilter should load SecurityContext from HttpSessionSecurityContextRepository exclude session that expired by org.springframework.security.core.session.SessionInformation with EXPIRED_ATTR

Current Behavior
In normal SecurityFilterChain,ConcurrentSessionFilter is going to Expired - abort processing such as doLogout;However Due to OAuth2AuthorizationEndpointFilter is orded before ConcurrentSessionFilter,so it not worked

Context

maybe we need a special SecurityContextRepository to do this in OAuth2AuthorizationServerSecurityFilterChain? or anything other else? hope to receive your help!

[jgrandja]

Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.