Fix session concurrency for OAuth2/OIDC authentication by Gautam-aman · Pull Request #18624

Fix session concurrency for OAuth2/OIDC authentication by Gautam-aman · Pull Request #18624 · spring-projects/spring-security

Background

Session concurrency control relies on principal equality when resolving
existing sessions. For OAuth2/OIDC logins, the principal is typically an
Authentication whose underlying principal (e.g. DefaultOidcUser)
uses attribute-based equality.

Since attributes such as nonce, jti, and sid differ per authentication,
session lookups fail and maximumSessions becomes ineffective.

Approach

When the principal is an Authentication, this change keys session registry
entries by Authentication#getName(), which represents the stable user
identity in Spring Security.

Existing behavior is preserved for non-Authentication principals.

Tests

Adds a regression test demonstrating correct session resolution when using
distinct Authentication instances with the same name.