SID and SessionInformation is null in IdToken when AuthorizationService or Userdetails uses Jdbc or Jpa.

[gurneeraj]

While trying to logout from Spring Authorization Server when spring cloud gateway (Oauth2client) calls logout endpoint, I found SID is null because AuthorizationService or Userdetails uses Jdbc or Jpa.

I used UserDetailsService for creating a UserDetails object.

While debugging I found SessionRegistryImpl is returning null SessionInformation. Highlighted line returns null because 'principal(UserDetails)' is different from ones' present in 'principals'.

I created a sample which is similar to the issue I am facing right now. When you run the sample, SID will be null but when you comment out JdbcAuthorizationService config SID will be present in IDToken.

https://github.com/gurneeraj/auth-test

[ramonmalcolm10]

I had face a similar issue, try commenting out OAuth2AuthorizationService bean. Not sure why when that bean is configured it don’t return any result, the team can investigate further.
FYI you are still able to perform authentication using your UserDetailsService without that bean configured.

[sjohnr]

Here's the related SO question (https://stackoverflow.com/questions/77093539/sid-missing-in-id-token-using-spring-authorization-server) where I asked for this issue to be opened.

[sjohnr]

@gurneeraj I'm currently unable to reproduce your issue. There are no users in the database when the application starts up. Further, it looks like you cloned the demo-authorizationserver sample, but did not include images so I'm currently getting a 404 error on missing images. If I configure /error as permitAll(), I get past that issue but the demo-client succeeds in logging out. I'm going to close this issue for now as I believe you have a mis-configuration on your client. Please review the official samples in this repo to see if you spot any issues with your configuration. If you can provide a sample of your client, please update the stackoverflow question and add a comment and I'll be happy to take a look at possible mis-configurations on the client side.

[nucle]

Hi,
I have the same issue.
I also tried the version from @gurneeraj but without luck.

For testing, I created a simple project:
Auth Test Github

1. docker compose up -d (postgres container)
2. start application (liquibase will insert data)
3. Comment out and uncomment OAuth2AuthorizationService for in-memory or database

More can be found in the README

Please let me know when something does not work.

BR,
nucle

[sjohnr]

@nucle sorry you're having trouble. I looked at your sample, and it is also not minimal. If starting from one of our existing samples, please only make the minimal changes necessary to add a postgres database (adding liquibase also is fine) for the authorization service. There are a number of other changes in your sample, including adding cors, disabling csrf, adding a custom authentication provider, storing the user details in the database, and possibly other changes. Those changes should not be required to reproduce this issue. Please remove them, and I can take another look.

[nucle]

@sjohnr np I will create a minimal example.
thx

[sroui]

@ramonmalcolm10, I had the same issue and I fixed it by doing as you did - deleting OAuth2AuthorizationService which is configured in the code from samples

[gurneeraj]

Hi instead of using userdetailsservice. I used my own custom authorization provider, it solved the issue.