Enforcing Single-Device Login with Spring Security OAuth2

Background

A user account should be allowed to log in from only one location, a common requirement in back‑office systems. The default Spring Security OAuth2 token flow cannot satisfy this need.

First, consider the TokenEndpoint flow: the client calls /oauth/token, which eventually invokes TokenGranter. TokenGranter obtains authentication information based on the grant type and calls TokenServices to generate a token.

Rewrite TokenService

Override the token issuance logic in createAccessToken. When a token already exists for the user, delete it and create a new one, causing the previous token to become invalid and be displaced.

@Transactional
public OAuth2AccessToken createAccessToken(OAuth2Authentication authentication) throws AuthenticationException {
    OAuth2AccessToken existingAccessToken = tokenStore.getAccessToken(authentication);
    OAuth2RefreshToken refreshToken = null;
    // If a token already exists for the user, remove the original token
    if (existingAccessToken != null) {
        tokenStore.removeAccessToken(existingAccessToken);
    } else if (refreshToken instanceof ExpiringOAuth2RefreshToken) {
        ExpiringOAuth2RefreshToken expiring = (ExpiringOAuth2RefreshToken) refreshToken;
        if (System.currentTimeMillis() > expiring.getExpiration().getTime()) {
            refreshToken = createRefreshToken(authentication);
        }
    }
    OAuth2AccessToken accessToken = createAccessToken(authentication, refreshToken);
    tokenStore.storeAccessToken(accessToken, authentication);
    // In case it was modified
    refreshToken = accessToken.getRefreshToken();
    if (refreshToken != null) {
        tokenStore.storeRefreshToken(refreshToken, authentication);
    }
    return accessToken;
}

Rewrite Token Key Generation Logic

The above code achieves single‑device login: a user can log in on mobile and PC simultaneously, but two mobile sessions cannot be active at the same time.

How to achieve unique login across different client types?

First, look at the source code that checks whether a token exists for a user:

public OAuth2AccessToken getAccessToken(OAuth2Authentication authentication) {
    String key = authenticationKeyGenerator.extractKey(authentication);
    // Redis query logic based on the key
    return accessToken;
}

The default AuthenticationKeyGenerator builds the key from username, clientId, and scope parameters, producing a unique token per user‑client‑scope combination.

public String extractKey(OAuth2Authentication authentication) {
    Map<String, String> values = new LinkedHashMap<String, String>();
    OAuth2Request authorizationRequest = authentication.getOAuth2Request();
    if (!authentication.isClientOnly()) {
        values.put(USERNAME, authentication.getName());
    }
    values.put(CLIENT_ID, authorizationRequest.getClientId());
    if (authorizationRequest.getScope() != null) {
        values.put(SCOPE, OAuth2Utils.formatParameterList(new TreeSet<String>(authorizationRequest.getScope())));
    }
    return generateKey(values);
}

To enable single login across multiple terminals, make the token identical for the same user regardless of client. Remove the clientId condition from extractKey so that the generated key does not differentiate terminals.

public String extractKey(OAuth2Authentication authentication) {
    Map<String, String> values = new LinkedHashMap<String, String>();
    OAuth2Request authorizationRequest = authentication.getOAuth2Request();
    if (!authentication.isClientOnly()) {
        values.put(USERNAME, authentication.getName());
    }
    if (authorizationRequest.getScope() != null) {
        values.put(SCOPE, OAuth2Utils.formatParameterList(new TreeSet<String>(authorizationRequest.getScope())));
    }
    return generateKey(values);
}

Finally, inject the customized TokenService into the authorization server configuration.