Improve OIDC warning when a session encryption key is generated

gsmet · Jun 6, 2024 · 8cf8663 · 8cf8663
1 parent d7e022b
commit 8cf8663
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java
@@ -642,7 +642,10 @@ public enum Strategy {
          * either `quarkus.oidc.credentials.secret` or `quarkus.oidc.credentials.client-secret.value` is checked.
          * Finally, `quarkus.oidc.credentials.jwt.secret` which can be used for `client_jwt_secret` authentication is
          * checked.
-         * The secret is auto-generated if it remains uninitialized after checking all of these properties.
+         * The secret is auto-generated every time an application starts if it remains uninitialized after checking all of these
+         * properties.
+         * Generated secret can not decrypt the session cookie encrypted before the restart, therefore a user re-authentication
+         * will be required.
          * <p>
          * The length of the secret used to encrypt the tokens should be at least 32 characters long.
          * A warning is logged if the secret length is less than 16 characters.

diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java
@@ -124,7 +124,12 @@ private static SecretKey createTokenEncSecretKey(OidcTenantConfig config) {
             }
             try {
                 if (encSecret == null) {
-                    LOG.warn("Secret key for encrypting tokens in a session cookie is missing, auto-generating it");
+                    LOG.warn(
+                            "Secret key for encrypting OIDC authorization code flow tokens in a session cookie is not configured, auto-generating it."
+                                    + " Note that a new secret will be generated after a restart, thus making it impossible to decrypt the session cookie and requiring a user re-authentication."
+                                    + " Use 'quarkus.oidc.token-state-manager.encryption-secret' to configure an encryption secret."
+                                    + " Alternatively, disable session cookie encryption with 'quarkus.oidc.token-state-manager.encryption-required=false'"
+                                    + " but only if it is considered to be safe in your application's network.");
                     return generateSecretKey();
                 }
                 byte[] secretBytes = encSecret.getBytes(StandardCharsets.UTF_8);