Using multiple OAuth2 clients in single browser session using Spring boot

Question

We have Multi tenant WebApp designed using Spring Boot + Spring Security. This app is used to manage certain resources in Azure. User login into our WebApp using OAuth2.0 and can access Azure resources through our app.

Now we need to allow multiple users to login into our app in single browser session. So basically user (user 1) will use credentials1 to login to access resources allowed by these credentials. Then user will use credentials2 (basically another users credentials lets call it user2) to login into same browser page. There will be two active users in same session. User should be able to switch between these accounts.

Once user login into our app, we instantiate RestTemplate (using credentials entered) to access Azure resources.

Either we can have single JSession id mapped to multiple RestTemplate or multiple JSession ID (within single JSession cookie) to mapped to individual RestTemplate. We can have request parameter indicating which RestTemplate to use.

We have used SpringSecurity to get access token. This access token is then used in RestTemplate and used for accessing Azure resources.

Answer 1

"Now we need to allow multiple users to login into our app in single browser session"

Is this approach secure, at all? I mean, having two users using the same browser and sharing information isn't recommended.

"Either we can have single JSession id mapped to multiple RestTemplate or multiple JSession ID (within single JSession cookie) to mapped to individual RestTemplate"

I never saw this kind of approach. Get Google as an example -- you can switch profiles, but need to log in.

If you really need to do it, there's an out of the box solution for Chrome, Firefox and Opera called SessionBox, that enables session switch within the same browser. Otherwise, two common solutions are:

• Use two different browsers (e.g. Chrome and Firefox)
• Use incognito mode