Skip to content

Documentation for RP Initiated Logout, and Index Session Deletion from Redis, when session naturally expires #3190

New issue
New issue
Open
Open
Documentation for RP Initiated Logout, and Index Session Deletion from Redis, when session naturally expires#3190
Labels
status: waiting-for-triageAn issue we've not yet triagedtype: enhancementA general enhancement
@dreamstar-enterprises

Description

@dreamstar-enterprises
dreamstar-enterprises
opened on Sep 7, 2024

Expected Behavior

My Spring BFF sort of almost works (I'm now in month 3 of trying to create a robust login page).

Explicit Logout

When I explicity logout, the following function gets called, and so the session is deleted from (i) namespace > sessions, (ii) namespace > sessions > expires, (iii) namespace > sessions > session id > idx, (iv) and namespace > sessions > expiration (sorted set)

https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/handlers/SessionServerLogoutHandler.kt#L40

Which calls this and this:

https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/sessions/SessionControl.kt#L51

https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/sessions/SessionControl.kt#L53

Which calls this and this:

https://github.com/spring-projects/spring-session/blob/main/spring-session-core/src/main/java/org/springframework/session/web/server/session/SpringSessionWebSessionStore.java#L162

https://github.com/spring-projects/spring-session/blob/main/spring-session-core/src/main/java/org/springframework/session/web/server/session/SpringSessionWebSessionStore.java#L100

Which both ultimately call this:

https://github.com/spring-projects/spring-session/blob/main/spring-session-data-redis/src/main/java/org/springframework/session/data/redis/ReactiveRedisIndexedSessionRepository.java#L387

The 4 delete methods in here get called

https://github.com/spring-projects/spring-session/blob/main/spring-session-data-redis/src/main/java/org/springframework/session/data/redis/ReactiveRedisIndexedSessionRepository.java#L391

The following also gets called to do an RP Initiated Logout (to end the session that exists with the Auth0 Authorization server too)

  • the delete BFF session, delete 2 cookies here:

https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/handlers/SessionServerLogoutHandler.kt

  • the logout from the auth server here (RP Initiated Logout):

https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/handlers/oauth2/OAuth2ServerLogoutSuccessHandler.kt

Natural BFF session expiration

But how do I do the above, when the BFF session reaches its natural expiration time.
When this happens Redis still leaves the following

enter image description here

Also the Auth0 session is never logged out from (so if the person logs in again via the Spring BFF, and the Auth0 session is still valid, and it will silently login without showing the Auth0 login page)

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: waiting-for-triageAn issue we've not yet triagedtype: enhancementA general enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions