SpringBoot Enhancement spring-boot-starter-oauth2-client Using Non Session InMemory Implementation

Enhancement ： if http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); AutoConfiguration Not working very well because request.getSession() is always null

Comment From: wilkinsona

Assuming that request is an HttpServletRequest, getSession() should never return null. From its javadoc:

Returns the current session associated with this request, or if the request does not have a session, creates one.

Only getSession(false) should return null.

If null is being returned by getSession() then you have found a bug in the servlet container implementation or in something that is perhaps using HttpServletRequestWrapper and overriding getSession(). Unfortunately, you haven't provided enough information for us to be able to tell what's happening. If you would like us to spend some more time investigating, please spend some time providing a complete yet minimal sample that reproduces the problem. You can share it with us by pushing it to a separate repository on GitHub or by zipping it up and attaching it to this issue.

Comment From: BingChunMoLi

For example, The default implementation of AuthorizationRequestRepository is HttpSessionOAuth2AuthorizationRequestRepository

    private OAuth2AuthorizationRequest getAuthorizationRequest(HttpServletRequest request) {
        HttpSession session = request.getSession(false);
        return (session != null) ? (OAuth2AuthorizationRequest) session.getAttribute(this.sessionAttributeName) : null;
    }

Bad request caused by OAuth2LoginAuthenticationFilter#attemptAuthentication call，

OAuth2AuthorizationRequest authorizationRequest = this.authorizationRequestRepository
                .removeAuthorizationRequest(request, response);
        if (authorizationRequest == null) {
            OAuth2Error oauth2Error = new OAuth2Error(AUTHORIZATION_REQUEST_NOT_FOUND_ERROR_CODE);
            throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
        }

this.authorizationRequestRepository.removeAuthorizationReques:

    @Override
    public OAuth2AuthorizationRequest removeAuthorizationRequest(HttpServletRequest request,
            HttpServletResponse response) {
        Assert.notNull(response, "response cannot be null");
        OAuth2AuthorizationRequest authorizationRequest = loadAuthorizationRequest(request);
        if (authorizationRequest != null) {
            request.getSession().removeAttribute(this.sessionAttributeName);
        }
        return authorizationRequest;
    }
    @Override
    public OAuth2AuthorizationRequest loadAuthorizationRequest(HttpServletRequest request) {
        Assert.notNull(request, "request cannot be null");
        String stateParameter = getStateParameter(request);
        if (stateParameter == null) {
            return null;
        }
        OAuth2AuthorizationRequest authorizationRequest = getAuthorizationRequest(request);
        return (authorizationRequest != null && stateParameter.equals(authorizationRequest.getState()))
                ? authorizationRequest : null;
    }

Minimum Example: https://github.com/BingChunMoLi/security_oauth_demo

Comment From: wilkinsona

That Spring Security code is calling request.getSession(false) so it's to be expected that null is returned if nothing else has caused a session to be created. Spring Security is managed as a separate project. If you believe its behavior could be improved somehow, please open a Spring Security issue.