The requirement is that the client application has :
- No username/pass
- Each user who comes to the app will end up with a new session and hence should be able to do the oauth handshake based on their credentials with the provider app.

The above doesn't work because once user A with session A does the is authorized to use the resources, then user B with session B is also getting authorized automatically.

Digging into the code specifically InMemoryOAuth2ClientTokenServices on the client side we find that the token keys are specific to the user. Since both user A and user B are anonymous users then they have the same principal name which is "anonymousUser" because that's the default user spring security creates.

I was thinking that I could implement my own OAuth2ClientTokenServices and have the keys be "anonymousUser" + sessionId.

Will be getting the sessionId from ((WebAuthenticationDetails) authentication.getDetails()).getSessionId();

Is this a good solution? Is there a better way to do this ?

Thank you