-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Migration Guide 3.1
OIDC session cookie which is created after an OIDC authorization code flow has completed, will now be encrypted by default. Users are not expected to notice in most cases.
However, only if either mTLS or private_key_jwt (OIDC client private key is used to sign a JWT token) authentication methods are used between Quarkus and OpenId Connect Provider, then an in-memory encryption key will be generated, which might cause some pods in the application dealing with a very large number of requests failing to decrypt the session cookie, because a given pod trying to decrypt it might not be the one which encrypted it.
In such cases one can register an encryption secret which should be 32 characters long, for example:
quarkus.oidc.token-state-manager.encryption-secret=eUk1p7UB3nFiXZGUXi0uph1Y9p34YhBUAlternatively, but also if the application users access it from within the trusted network, the session cookie encryption can be disabled:
quarkus.oidc.token-state-manager.encryption-required=false