Merge pull request #30828 from sberyozkin/oidc_session_cookie_same_si…

…te_lax Make OIDC session cookie same site lax by default
quarkusio · Feb 2, 2023 · 7814ea5 · 7814ea5
2 parents 7fe17cc + 1501eb8
commit 7814ea5
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 5 deletions.
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java
@@ -769,8 +769,8 @@ public enum ResponseMode {
         /**
          * SameSite attribute for the session cookie.
          */
-        @ConfigItem(defaultValue = "strict")
-        public CookieSameSite cookieSameSite = CookieSameSite.STRICT;
+        @ConfigItem(defaultValue = "lax")
+        public CookieSameSite cookieSameSite = CookieSameSite.LAX;
 
         /**
          * If this property is set to 'true' then an OIDC UserInfo endpoint will be called.

diff --git a/integration-tests/oidc-code-flow/src/main/resources/application.properties b/integration-tests/oidc-code-flow/src/main/resources/application.properties
@@ -107,7 +107,7 @@ quarkus.oidc.tenant-https.authentication.cookie-suffix=test
 quarkus.oidc.tenant-https.authentication.error-path=/tenant-https/error
 quarkus.oidc.tenant-https.authentication.pkce-required=true
 quarkus.oidc.tenant-https.authentication.pkce-secret=eUk1p7UB3nFiXZGUXi0uph1Y9p34YhBU
-quarkus.oidc.tenant-https.authentication.cookie-same-site=lax
+quarkus.oidc.tenant-https.authentication.cookie-same-site=strict
 
 quarkus.oidc.tenant-javascript.auth-server-url=${quarkus.oidc.auth-server-url}
 quarkus.oidc.tenant-javascript.client-id=quarkus-app

diff --git a/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java b/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java
@@ -95,7 +95,7 @@ public void testCodeFlowNoConsent() throws IOException {
 
             Cookie sessionCookie = getSessionCookie(webClient, null);
             assertNotNull(sessionCookie);
-            assertEquals("strict", sessionCookie.getSameSite());
+            assertEquals("lax", sessionCookie.getSameSite());
 
             webClient.getCookieManager().clearCookies();
         }
@@ -220,7 +220,7 @@ public void testCodeFlowForceHttpsRedirectUriAndPkce() throws Exception {
             assertEquals("tenant-https:reauthenticated", page.getBody().asNormalizedText());
             Cookie sessionCookie = getSessionCookie(webClient, "tenant-https_test");
             assertNotNull(sessionCookie);
-            assertEquals("lax", sessionCookie.getSameSite());
+            assertEquals("strict", sessionCookie.getSameSite());
             webClient.getCookieManager().clearCookies();
         }
     }