diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java index ab2e4a881a03b..0ff84fb10d26f 100644 --- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java +++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java @@ -376,15 +376,23 @@ public enum Strategy { public boolean splitTokens; /** - * Requires that the tokens are encrypted before being stored in the cookies. + * Mandates that the session cookie that stores the tokens is encrypted. */ @ConfigItem(defaultValue = "true") public boolean encryptionRequired = true; /** - * Secret which will be used to encrypt the tokens. - * This secret must be set if the token encryption is required but no client secret is set. - * The length of the secret which will be used to encrypt the tokens must be 32 characters long. + * Secret which will be used to encrypt the session cookie storing the tokens when {@link #encryptionRequired} property + * is enabled. + *

+ * If this secret is not set, the client secret configured with + * either `quarkus.oidc.credentials.secret` or `quarkus.oidc.credentials.client-secret.value` will be checked. + * Finally, `quarkus.oidc.credentials.jwt.secret` which can be used for `client_jwt_secret` authentication will be + * checked. + * The secret will be auto-generated if it remains uninitialized after checking all of these properties. + *

+ * The length of the secret which will be used to encrypt the tokens should be at least 32 characters long. + * Warning will be logged if the secret length is less than 16 characters. */ @ConfigItem public Optional encryptionSecret = Optional.empty(); diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java index d748c56035fb7..42d8373b2a0d5 100644 --- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java +++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java @@ -69,21 +69,39 @@ private static SecretKey createPkceSecretKey(OidcTenantConfig config) { private static SecretKey createTokenEncSecretKey(OidcTenantConfig config) { if (config.tokenStateManager.encryptionRequired) { - String encSecret = config.tokenStateManager.encryptionSecret - .orElse(OidcCommonUtils.clientSecret(config.credentials)); - if (encSecret == null) { - encSecret = OidcCommonUtils.jwtSecret(config.credentials); + String encSecret = null; + if (config.tokenStateManager.encryptionSecret.isPresent()) { + encSecret = config.tokenStateManager.encryptionSecret.get(); + } else { + LOG.debug("'quarkus.oidc.token-state-manager.encryption-secret' is not configured, " + + "trying to use the configured client secret"); + encSecret = OidcCommonUtils.clientSecret(config.credentials); + if (encSecret == null) { + LOG.debug("Client secret is not configured, " + + "trying to use the configured 'client_jwt_secret' secret"); + encSecret = OidcCommonUtils.jwtSecret(config.credentials); + } } try { if (encSecret == null) { - LOG.warn("Secret key for encrypting tokens is missing, auto-generating it"); + LOG.warn("Secret key for encrypting tokens in a session cookie is missing, auto-generating it"); KeyGenerator keyGenerator = KeyGenerator.getInstance("AES"); keyGenerator.init(256); return keyGenerator.generateKey(); } byte[] secretBytes = encSecret.getBytes(StandardCharsets.UTF_8); if (secretBytes.length < 32) { - LOG.warn("Secret key for encrypting tokens should be 32 characters long"); + String errorMessage = "Secret key for encrypting tokens in a session cookie should be at least 32 characters long" + + " for the strongest cookie encryption to be produced." + + " Please configure 'quarkus.oidc.token-state-manager.encryption-secret'" + + " or update the configured client secret. You can disable the session cookie" + + " encryption with 'quarkus.oidc.token-state-manager.encryption-required=false'" + + " but only if it is considered to be safe in your application's network."; + if (secretBytes.length < 16) { + LOG.warn(errorMessage); + } else { + LOG.debug(errorMessage); + } } return new SecretKeySpec(OidcUtils.getSha256Digest(secretBytes), "AES"); } catch (Exception ex) {