in spring security stateless policy, OAuth server does not store any session information on the server side, instead relying on a self-contained token to authenticate the user. The server verifies the token on each request to ensure that it has not been tampered with or expired. Stateless OAuth removes the need for the server to maintain session state, which can improve scalability and reduce the risk of security vulnerabilities.
Having said this, if you look at your response header, it will still have jsessionid=
This is because the session will always be injected (and created if one doesn’t exists) if you request that, that has nothing to do with setting Spring Security to stateless. That is only a setting for Spring Security NOT the remainder of your application. If you are using JSP you will get a session always and depending on your controllers that also might create a session.
If you use a controller such as
@PostMapping
public void create(HttpSession session) {}
The session will always be created because of the argument. If you don’t want it to be created, use HttpServletRequest
Trying to post some tech ideas that enthused me. 