It would be great if the retrieval of the session_state request paramter used in OpenID Connect Session Management could be added to OidcAuthorizationCodeAuthenticationProvider.authenticate() method so that the value is added to the AbstractAuthenticationToken.details.

As of today I didn't find any convenient way to retrieve this parameter, except adding a custom AuthenticationSuccessHandler that retrieve this parameter to save it in session during the authentication phase.

Comment From: sjohnr

@benba, thank you for the suggestion! Correct me if I'm wrong, but I don't believe that the session state change notification detailed in the spec is well supported (e.g. works in most modern browsers, see note). Given that, I'm wondering if this would be used by many users. At the moment, I am not convinced it would be very useful and seems fairly easy to add on separately as you have done.

As of today I didn't find any convenient way to retrieve this parameter, except adding a custom AuthenticationSuccessHandler that retrieve this parameter to save it in session during the authentication phase.

Convenience is nice, but isn't usually my primary goal. I also don't see a good place to capture this parameter right now. I don't feel that the authentication details is the best place for it. It might require adding an additionalParameters to OAuth2AuthorizationResponse. Give me some time to discuss this internally and get back to you on whether this makes sense to add this to the framework.

Comment From: sjohnr

@benba thanks for your patience. We have discussed this issue and currently we don't see strong evidence that this feature is needed given the reasons mentioned in my earlier comment. Spring Security does not have general support for OpenID Connect Session Management, and there are a few other related issues (such as gh-6814 and gh-6815) which don't seem to have many upvotes (gh-6815 has a few but is very easy to support through customization).

I will leave this issue open for now to see if we get any upvotes and we can go from there. We may also consider consolidating these related issues into a general issue for supporting OpenID Connect Session Management but I won't do that just yet.