Improve documentation for best practices to enable horizontal scaling with OAuth 2 client applications

[timosalm]

Expected Behavior

It's a common case with OAuth to have several instances of an horizontal scaled, stateless application behind a load balancer (e.g. with Kubernetes). Without additional configuration or components, the OAuth flow fails if those app act as an OAuth Client.

I would expect to have information in the OAuth section on the recommended approach to get OAuth 2.0 working, with such an application acting as an OAuth client. Either Spring Session with a DB or an easier / more secure way of getting it working.

Here is a good article by Okta for inspiration.

Current Behavior

In the "Session Management" section, there is a note about storing the SecurityContext in a cache or database to enable horizontal scaling, but there is no information about it in the OAuth2. Even it's a common case with OAuth to have several instances of an application behind a load balancer (e.g. with Kubernetes), and the OAuth flow fails if those apps act as an OAuth Client.

Context

I tried to find information on why the OAuth flow for such an application acting as an OAuth client worked without horizontal scaling but failed with multiple instances and could not find the information in the official documentation in the OAuth section.

[marcusdacoregio]

I think this documentation should be added to Spring Session since we are talking about clustered sessions and not just OAuth2 Client. The OAuth2 Client documentation section could mention and link to the Spring Session documentation. I created spring-projects/spring-session#2287

[marcusdacoregio]

I don't think that there should be a specific session about OAuth2 Client and Horizontal Scaling since this is not a problem that is specific to OAuth2. Since Spring Security does not provide solution for session management I'm closing this as not planned.