Merge pull request #33550 from sberyozkin/oidc_improve_key_enc_warn_m…

…essage Improve log messages related to OIDC session cookie encryption secret
quarkusio · May 31, 2023 · 7e30f3c · 7e30f3c
2 parents c2b4c5c + 2ca90c2
commit 7e30f3c
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 10 deletions.
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java
@@ -376,15 +376,23 @@ public enum Strategy {
         public boolean splitTokens;
 
         /**
-         * Requires that the tokens are encrypted before being stored in the cookies.
+         * Mandates that the session cookie that stores the tokens is encrypted.
          */
         @ConfigItem(defaultValue = "true")
         public boolean encryptionRequired = true;
 
         /**
-         * Secret which will be used to encrypt the tokens.
-         * This secret must be set if the token encryption is required but no client secret is set.
-         * The length of the secret which will be used to encrypt the tokens must be 32 characters long.
+         * Secret which will be used to encrypt the session cookie storing the tokens when {@link #encryptionRequired} property
+         * is enabled.
+         * <p>
+         * If this secret is not set, the client secret configured with
+         * either `quarkus.oidc.credentials.secret` or `quarkus.oidc.credentials.client-secret.value` will be checked.
+         * Finally, `quarkus.oidc.credentials.jwt.secret` which can be used for `client_jwt_secret` authentication will be
+         * checked.
+         * The secret will be auto-generated if it remains uninitialized after checking all of these properties.
+         * <p>
+         * The length of the secret which will be used to encrypt the tokens should be at least 32 characters long.
+         * Warning will be logged if the secret length is less than 16 characters.
          */
         @ConfigItem
         public Optional<String> encryptionSecret = Optional.empty();

diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java
@@ -69,21 +69,39 @@ private static SecretKey createPkceSecretKey(OidcTenantConfig config) {
 
     private static SecretKey createTokenEncSecretKey(OidcTenantConfig config) {
         if (config.tokenStateManager.encryptionRequired) {
-            String encSecret = config.tokenStateManager.encryptionSecret
-                    .orElse(OidcCommonUtils.clientSecret(config.credentials));
-            if (encSecret == null) {
-                encSecret = OidcCommonUtils.jwtSecret(config.credentials);
+            String encSecret = null;
+            if (config.tokenStateManager.encryptionSecret.isPresent()) {
+                encSecret = config.tokenStateManager.encryptionSecret.get();
+            } else {
+                LOG.debug("'quarkus.oidc.token-state-manager.encryption-secret' is not configured, "
+                        + "trying to use the configured client secret");
+                encSecret = OidcCommonUtils.clientSecret(config.credentials);
+                if (encSecret == null) {
+                    LOG.debug("Client secret is not configured, "
+                            + "trying to use the configured 'client_jwt_secret' secret");
+                    encSecret = OidcCommonUtils.jwtSecret(config.credentials);
+                }
             }
             try {
                 if (encSecret == null) {
-                    LOG.warn("Secret key for encrypting tokens is missing, auto-generating it");
+                    LOG.warn("Secret key for encrypting tokens in a session cookie is missing, auto-generating it");
                     KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
                     keyGenerator.init(256);
                     return keyGenerator.generateKey();
                 }
                 byte[] secretBytes = encSecret.getBytes(StandardCharsets.UTF_8);
                 if (secretBytes.length < 32) {
-                    LOG.warn("Secret key for encrypting tokens should be 32 characters long");
+                    String errorMessage = "Secret key for encrypting tokens in a session cookie should be at least 32 characters long"
+                            + " for the strongest cookie encryption to be produced."
+                            + " Please configure 'quarkus.oidc.token-state-manager.encryption-secret'"
+                            + " or update the configured client secret. You can disable the session cookie"
+                            + " encryption with 'quarkus.oidc.token-state-manager.encryption-required=false'"
+                            + " but only if it is considered to be safe in your application's network.";
+                    if (secretBytes.length < 16) {
+                        LOG.warn(errorMessage);
+                    } else {
+                        LOG.debug(errorMessage);
+                    }
                 }
                 return new SecretKeySpec(OidcUtils.getSha256Digest(secretBytes), "AES");
             } catch (Exception ex) {