Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve OIDC warning when a session encryption key is generated #40916

Merged
merged 1 commit into from
Jun 6, 2024
Merged

Improve OIDC warning when a session encryption key is generated #40916

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -642,7 +642,10 @@ public enum Strategy {
* either `quarkus.oidc.credentials.secret` or `quarkus.oidc.credentials.client-secret.value` is checked.
* Finally, `quarkus.oidc.credentials.jwt.secret` which can be used for `client_jwt_secret` authentication is
* checked.
* The secret is auto-generated if it remains uninitialized after checking all of these properties.
* The secret is auto-generated every time an application starts if it remains uninitialized after checking all of these
* properties.
* Generated secret can not decrypt the session cookie encrypted before the restart, therefore a user re-authentication
* will be required.
* <p>
* The length of the secret used to encrypt the tokens should be at least 32 characters long.
* A warning is logged if the secret length is less than 16 characters.
Expand Down
7 changes: 6 additions & 1 deletion extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,12 @@ private static SecretKey createTokenEncSecretKey(OidcTenantConfig config) {
}
try {
if (encSecret == null) {
LOG.warn("Secret key for encrypting tokens in a session cookie is missing, auto-generating it");
LOG.warn(
"Secret key for encrypting OIDC authorization code flow tokens in a session cookie is not configured, auto-generating it."
+ " Note that a new secret will be generated after a restart, thus making it impossible to decrypt the session cookie and requiring a user re-authentication."
+ " Use 'quarkus.oidc.token-state-manager.encryption-secret' to configure an encryption secret."
+ " Alternatively, disable session cookie encryption with 'quarkus.oidc.token-state-manager.encryption-required=false'"
+ " but only if it is considered to be safe in your application's network.");
return generateSecretKey();
}
byte[] secretBytes = encSecret.getBytes(StandardCharsets.UTF_8);
Expand Down