From 8cf86637d3d2f8723a1b576f80dd09f3cbe01140 Mon Sep 17 00:00:00 2001
From: Sergey Beryozkin <sberyozkin@gmail.com>
Date: Fri, 31 May 2024 11:18:21 +0100
Subject: [PATCH] Improve OIDC warning when a session encryption key is
 generated

---
 .../src/main/java/io/quarkus/oidc/OidcTenantConfig.java    | 5 ++++-
 .../java/io/quarkus/oidc/runtime/TenantConfigContext.java  | 7 ++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java
index ace3645ff8dd3..84290b257abb7 100644
--- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java
+++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java
@@ -642,7 +642,10 @@ public enum Strategy {
          * either `quarkus.oidc.credentials.secret` or `quarkus.oidc.credentials.client-secret.value` is checked.
          * Finally, `quarkus.oidc.credentials.jwt.secret` which can be used for `client_jwt_secret` authentication is
          * checked.
-         * The secret is auto-generated if it remains uninitialized after checking all of these properties.
+         * The secret is auto-generated every time an application starts if it remains uninitialized after checking all of these
+         * properties.
+         * Generated secret can not decrypt the session cookie encrypted before the restart, therefore a user re-authentication
+         * will be required.
          * <p>
          * The length of the secret used to encrypt the tokens should be at least 32 characters long.
          * A warning is logged if the secret length is less than 16 characters.
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java
index da7ac79a6a364..d15b0b92e1b83 100644
--- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java
+++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java
@@ -124,7 +124,12 @@ private static SecretKey createTokenEncSecretKey(OidcTenantConfig config) {
             }
             try {
                 if (encSecret == null) {
-                    LOG.warn("Secret key for encrypting tokens in a session cookie is missing, auto-generating it");
+                    LOG.warn(
+                            "Secret key for encrypting OIDC authorization code flow tokens in a session cookie is not configured, auto-generating it."
+                                    + " Note that a new secret will be generated after a restart, thus making it impossible to decrypt the session cookie and requiring a user re-authentication."
+                                    + " Use 'quarkus.oidc.token-state-manager.encryption-secret' to configure an encryption secret."
+                                    + " Alternatively, disable session cookie encryption with 'quarkus.oidc.token-state-manager.encryption-required=false'"
+                                    + " but only if it is considered to be safe in your application's network.");
                     return generateSecretKey();
                 }
                 byte[] secretBytes = encSecret.getBytes(StandardCharsets.UTF_8);