Use HttpSessionOAuth2AuthorizedClientRepository instead of AuthenticatedPrincipalOAuth2AuthorizedClientRepository as bean.

[chenrujun]

https://github.com/spring-projects/spring-boot/blob/v2.4.0/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfiguration.java

IMO, Use HttpSessionOAuth2AuthorizedClientRepository is more reasonable: the authorizedClient will cleared automatically after session expired.

[philwebb]

The javadoc of AuthenticatedPrincipalOAuth2AuthorizedClientRepository suggests that it delegates to HttpSessionOAuth2AuthorizedClientRepository for unauthenticated requests. Could you provide a bit more background about your suggested change?

/cc @jgrandja

[chenrujun]

Hi, @philwebb , Thank you for your response.

InMemoryOAuth2AuthorizedClientService will save all authorizedClients in memory, it may cause OOM in some case.

I created a draft PR: https://github.com/spring-projects/spring-boot/pull/24303/files

[philwebb]

Thanks @chenrujun.

One problem with the suggested change is that users will no longer be able to just provide a OAuth2AuthorizedClientService bean. They'd need to provide an AuthenticatedPrincipalOAuth2AuthorizedClientRepository with the OAuth2AuthorizedClientService already set.

I wonder if InMemoryOAuth2AuthorizedClientService should be constrained so that it accepts a maximum number of entries. @jgrandja Do you have any thoughts on this?

[chenrujun]

@philwebb

Current logic is like this:

If one user login, saved some authorizedClients in InMemoryOAuth2AuthorizedClientService, then the user left.
The the authorizedClient will never be deleted automically.

maximum number of entries is not a good idea. Because the web application may have millions of users,

---

IMU, with HttpSessionOAuth2AuthorizedClientRepository, when session expired, the authorizedClients will be cleaned automically.

[chenrujun]

@philwebb

How about create a new class HttpSessionOAuth2AuthorizedClientService, use it to replace InMemoryOAuth2AuthorizedClientService?

If you agree, I'm willing to create another PR.

[philwebb]

I'd like to see what @jgrandja has to say first.

[jgrandja]

@chenrujun I'd like to give you some background between OAuth2AuthorizedClientService vs. OAuth2AuthorizedClientRepository.

OAuth2AuthorizedClientService is designed to act as a core "service" that supplies client registrations. You will notice it's not dependent on the Servlet API so can be used outside of a web application context. However, the OAuth2AuthorizedClientRepository is tied to the Servlet API and is the main entry point to OAuth2AuthorizedClient's for
web-tier collaborators. The OAuth2AuthorizedClientRepository is meant to delegate to an OAuth2AuthorizedClientService that holds/maintains the actual client registrations.

The AuthenticatedPrincipalOAuth2AuthorizedClientRepository is the default OAuth2AuthorizedClientRepository for web applications. It handles "unauthenticated" requests via a HttpSessionOAuth2AuthorizedClientRepository delegate and handles "authenticated" requests by delegating to the OAuth2AuthorizedClientService.

The 2x implementations of OAuth2AuthorizedClientService is InMemoryOAuth2AuthorizedClientService and JdbcOAuth2AuthorizedClientService.

InMemoryOAuth2AuthorizedClientService really should only be used for development / testing. I would not recommend it in a production environment.

JdbcOAuth2AuthorizedClientService is new in 5.3 and requires custom configuration to take effect. See the reference doc and javadoc.

The auto-configuration in OAuth2WebSecurityConfiguration makes sense. Boot cannot auto-configure the JdbcOAuth2AuthorizedClientService since the schema needs to be defined along with connection properties. Therefore, that leaves us with InMemoryOAuth2AuthorizedClientService, hence the default.

NOTE: For production applications, the expectation is that the application would configure JdbcOAuth2AuthorizedClientService or provide a custom OAuth2AuthorizedClientService @Bean.

@philwebb Feel free to close this, as OAuth2WebSecurityConfiguration is aligned and there are no issues.

[chenrujun]

@jgrandja .

Thank you very much for your detailed explanation.

IMU, the root reason is that spring-security-oauth2-client is not only used in web applications. But HttpSession only exist in web application. So it doesn't make sense to use HttpSessionOAuth2AuthorizedClientRepository as default repository.

I'll close the issue.