Multi oauth2 clients - 1 fixed per session

[veganchamp]

Hi, rather than give usesr the option to logon to any of the configured oauth2 clients, I would like to dynamically fix them to just one, based on various conditions like entry url, http session data, lets say an oauth2 client resolver. Is there a good example of how to achieve this?

[ch4mpy]

If your intention is to shrink the number of login options to 1 so that the login screen redirects immediately instead of displaying choices, you can have a look at the LoginController from the resource-server_with_ui tutorial.

If you want to limit the number of possible sessions for a user (a user could still call another of the authorization-code initiation endpoint directly, without using the login screen) you'll have to look into http.sessionManagement(sm -> {...}). Be aware that:

• there are specific steps when using Spring Session (the project for distributed sessions): https://docs.spring.io/spring-session/reference/spring-security.html#spring-security-concurrent-sessions
• spring-addons-starter-oidc has no specific property for session management. If using spring-addons, you'll have to set this conf yourself with a ClientSynchronizedHttpSecurityPostProcessor or a ClientReactiveHttpSecurityPostProcessor

[ch4mpy]

@veganchamp would you please mark the thread as answered if you got enough info?

[veganchamp]

Hi @ch4mpy, while the servlet-client sample works independently I'm struggling to get it working though our proxy, then I can move onto your suggestion above, any thoughts?
If you'd rather I asked a separate question and close this, I'm happy with that.
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://lv-direct--inttrn.sandbox.my.site.com/giportal/.well-known/openid-configuration": Connection refused: getsockopt at org.springframework.web.client.RestTemplate.createResourceAccessException(RestTemplate.java:915) ~[spring-web-6.1.4.jar:6.1.4]

[ch4mpy]

Well, yes, it looks like a completely different question (which should be the object of another question, maybe on stackoverflow, if spring-boot doc is not enough).

But if you couldn't try yet what I answered with an authorization server accessible directly (like a local Keycloak instance), then this question should probably remain opened.