-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Migration Guide 3.1
OIDC session cookie which is created after an OIDC authorization code flow has completed, will now be encrypted by default. Users are not expected to notice it in most cases.
However, only if either mTLS or private_key_jwt (OIDC client private key is used to sign a JWT token) authentication methods are used between Quarkus and OpenId Connect Provider, then an in-memory encryption key will be generated, which might cause some pods in the application dealing with a very large number of requests failing to decrypt the session cookie, because a given pod trying to decrypt it might not be the one which encrypted it.
In such cases one can register an encryption secret which should be 32 characters long, for example:
quarkus.oidc.token-state-manager.encryption-secret=eUk1p7UB3nFiXZGUXi0uph1Y9p34YhBUAlso note that an encrypted session cookie might exceed a 4096 bytes limit which will cause some browsers ignoring it. Try one of the following in such cases:
-
Set
quarkus.oidc.token-state-manager.split-tokens=trueto have the ID, access and refresh tokens stored in separate cookies -
Set
quarkus.oidc.token-state-manager.strategy=id-refresh-tokensif you do not need to use the access token as a source of roles or to requestUserInfoor propagate it to the downstream services -
Register a custom
quarkus.oidc.TokenStateManagerCDI bean with the alternative priority set to 1. For example, customquarkus.oidc.TokenStateManagercan store all the tokens in a database and return a short DB pointer which Quarkus will use as a session cookie value.
If application users access the Quarkus application from within the trusted network, the session cookie encryption can be disabled:
quarkus.oidc.token-state-manager.encryption-required=false