diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java
index ab2e4a881a03b..0ff84fb10d26f 100644
--- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java
+++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java
@@ -376,15 +376,23 @@ public enum Strategy {
public boolean splitTokens;
/**
- * Requires that the tokens are encrypted before being stored in the cookies.
+ * Mandates that the session cookie that stores the tokens is encrypted.
*/
@ConfigItem(defaultValue = "true")
public boolean encryptionRequired = true;
/**
- * Secret which will be used to encrypt the tokens.
- * This secret must be set if the token encryption is required but no client secret is set.
- * The length of the secret which will be used to encrypt the tokens must be 32 characters long.
+ * Secret which will be used to encrypt the session cookie storing the tokens when {@link #encryptionRequired} property
+ * is enabled.
+ *
+ * If this secret is not set, the client secret configured with
+ * either `quarkus.oidc.credentials.secret` or `quarkus.oidc.credentials.client-secret.value` will be checked.
+ * Finally, `quarkus.oidc.credentials.jwt.secret` which can be used for `client_jwt_secret` authentication will be
+ * checked.
+ * The secret will be auto-generated if it remains uninitialized after checking all of these properties.
+ *
+ * The length of the secret which will be used to encrypt the tokens should be at least 32 characters long.
+ * Warning will be logged if the secret length is less than 16 characters.
*/
@ConfigItem
public Optional encryptionSecret = Optional.empty();
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java
index d748c56035fb7..42d8373b2a0d5 100644
--- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java
+++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java
@@ -69,21 +69,39 @@ private static SecretKey createPkceSecretKey(OidcTenantConfig config) {
private static SecretKey createTokenEncSecretKey(OidcTenantConfig config) {
if (config.tokenStateManager.encryptionRequired) {
- String encSecret = config.tokenStateManager.encryptionSecret
- .orElse(OidcCommonUtils.clientSecret(config.credentials));
- if (encSecret == null) {
- encSecret = OidcCommonUtils.jwtSecret(config.credentials);
+ String encSecret = null;
+ if (config.tokenStateManager.encryptionSecret.isPresent()) {
+ encSecret = config.tokenStateManager.encryptionSecret.get();
+ } else {
+ LOG.debug("'quarkus.oidc.token-state-manager.encryption-secret' is not configured, "
+ + "trying to use the configured client secret");
+ encSecret = OidcCommonUtils.clientSecret(config.credentials);
+ if (encSecret == null) {
+ LOG.debug("Client secret is not configured, "
+ + "trying to use the configured 'client_jwt_secret' secret");
+ encSecret = OidcCommonUtils.jwtSecret(config.credentials);
+ }
}
try {
if (encSecret == null) {
- LOG.warn("Secret key for encrypting tokens is missing, auto-generating it");
+ LOG.warn("Secret key for encrypting tokens in a session cookie is missing, auto-generating it");
KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
keyGenerator.init(256);
return keyGenerator.generateKey();
}
byte[] secretBytes = encSecret.getBytes(StandardCharsets.UTF_8);
if (secretBytes.length < 32) {
- LOG.warn("Secret key for encrypting tokens should be 32 characters long");
+ String errorMessage = "Secret key for encrypting tokens in a session cookie should be at least 32 characters long"
+ + " for the strongest cookie encryption to be produced."
+ + " Please configure 'quarkus.oidc.token-state-manager.encryption-secret'"
+ + " or update the configured client secret. You can disable the session cookie"
+ + " encryption with 'quarkus.oidc.token-state-manager.encryption-required=false'"
+ + " but only if it is considered to be safe in your application's network.";
+ if (secretBytes.length < 16) {
+ LOG.warn(errorMessage);
+ } else {
+ LOG.debug(errorMessage);
+ }
}
return new SecretKeySpec(OidcUtils.getSha256Digest(secretBytes), "AES");
} catch (Exception ex) {