Skip to content

Commit

Permalink
Improve log messages related to OIDC session cookie encryption secret
Browse files Browse the repository at this point in the history
  • Loading branch information
sberyozkin committed May 23, 2023
1 parent f7af2e5 commit 8c00a5a
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 10 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -372,15 +372,18 @@ public enum Strategy {
public boolean splitTokens;

/**
* Requires that the tokens are encrypted before being stored in the cookies.
* Requires that the session cookie storing the tokens is encrypted.
*/
@ConfigItem(defaultValue = "true")
public boolean encryptionRequired = true;

/**
* Secret which will be used to encrypt the tokens.
* This secret must be set if the token encryption is required but no client secret is set.
* The length of the secret which will be used to encrypt the tokens must be 32 characters long.
* Secret which will be used to encrypt the session cookie storing the tokens when {@link #encryptionRequired} property
* is enabled.
* If this secret is not configured then a configured client secret will be checked.
* The encryption secret will be auto-generated if neither this property nor client secret are configured.
* The length of the secret which will be used to encrypt the tokens should be at least 32 characters long.
* Warning will be logged if the secret length is less than 16 characters.
*/
@ConfigItem
public Optional<String> encryptionSecret = Optional.empty();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -68,21 +68,39 @@ private static SecretKey createPkceSecretKey(OidcTenantConfig config) {

private static SecretKey createTokenEncSecretKey(OidcTenantConfig config) {
if (config.tokenStateManager.encryptionRequired) {
String encSecret = config.tokenStateManager.encryptionSecret
.orElse(OidcCommonUtils.clientSecret(config.credentials));
if (encSecret == null) {
encSecret = OidcCommonUtils.jwtSecret(config.credentials);
String encSecret = null;
if (config.tokenStateManager.encryptionSecret.isPresent()) {
encSecret = config.tokenStateManager.encryptionSecret.get();
} else {
LOG.debug("'quarkus.oidc.token-state-manager.encryption-secret' is not configured, "
+ "trying to use the configured client secret");
encSecret = OidcCommonUtils.clientSecret(config.credentials);
if (encSecret == null) {
LOG.debug("Client secret is not configured, "
+ "trying to use the configured 'client_jwt_secret' secret");
encSecret = OidcCommonUtils.jwtSecret(config.credentials);
}
}
try {
if (encSecret == null) {
LOG.warn("Secret key for encrypting tokens is missing, auto-generating it");
LOG.warn("Secret key for encrypting tokens in a session cookie is missing, auto-generating it");
KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
keyGenerator.init(256);
return keyGenerator.generateKey();
}
byte[] secretBytes = encSecret.getBytes(StandardCharsets.UTF_8);
if (secretBytes.length < 32) {
LOG.warn("Secret key for encrypting tokens should be 32 characters long");
String errorMessage = "Secret key for encrypting tokens in a session cookie should be at least 32 characters long"
+ " for the strongest cookie encryption be produced."
+ " Please configure 'quarkus.oidc.token-state-manager.encryption-secret'"
+ " or update the configured client secret. You can disable the session cookie"
+ " encryption with 'quarkus.oidc.token-state-manager.encryption-required=false'"
+ " but only if it is considered to be safe in your application's network.";
if (secretBytes.length < 16) {
LOG.warn(errorMessage);
} else {
LOG.debug(errorMessage);
}
}
return new SecretKeySpec(OidcUtils.getSha256Digest(secretBytes), "AES");
} catch (Exception ex) {
Expand Down

0 comments on commit 8c00a5a

Please sign in to comment.