From 8c00a5a3d16b445fbe134c3c7c941d7ea5e6ffe7 Mon Sep 17 00:00:00 2001 From: Sergey Beryozkin Date: Tue, 23 May 2023 11:07:07 +0100 Subject: [PATCH] Improve log messages related to OIDC session cookie encryption secret --- .../io/quarkus/oidc/OidcTenantConfig.java | 11 ++++--- .../oidc/runtime/TenantConfigContext.java | 30 +++++++++++++++---- 2 files changed, 31 insertions(+), 10 deletions(-) diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java index 58f8479206ef28..e81b194f828136 100644 --- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java +++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java @@ -372,15 +372,18 @@ public enum Strategy { public boolean splitTokens; /** - * Requires that the tokens are encrypted before being stored in the cookies. + * Requires that the session cookie storing the tokens is encrypted. */ @ConfigItem(defaultValue = "true") public boolean encryptionRequired = true; /** - * Secret which will be used to encrypt the tokens. - * This secret must be set if the token encryption is required but no client secret is set. - * The length of the secret which will be used to encrypt the tokens must be 32 characters long. + * Secret which will be used to encrypt the session cookie storing the tokens when {@link #encryptionRequired} property + * is enabled. + * If this secret is not configured then a configured client secret will be checked. + * The encryption secret will be auto-generated if neither this property nor client secret are configured. + * The length of the secret which will be used to encrypt the tokens should be at least 32 characters long. + * Warning will be logged if the secret length is less than 16 characters. */ @ConfigItem public Optional encryptionSecret = Optional.empty(); diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java index 9ff389f5acd2f4..488c31bdcc7fa0 100644 --- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java +++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java @@ -68,21 +68,39 @@ private static SecretKey createPkceSecretKey(OidcTenantConfig config) { private static SecretKey createTokenEncSecretKey(OidcTenantConfig config) { if (config.tokenStateManager.encryptionRequired) { - String encSecret = config.tokenStateManager.encryptionSecret - .orElse(OidcCommonUtils.clientSecret(config.credentials)); - if (encSecret == null) { - encSecret = OidcCommonUtils.jwtSecret(config.credentials); + String encSecret = null; + if (config.tokenStateManager.encryptionSecret.isPresent()) { + encSecret = config.tokenStateManager.encryptionSecret.get(); + } else { + LOG.debug("'quarkus.oidc.token-state-manager.encryption-secret' is not configured, " + + "trying to use the configured client secret"); + encSecret = OidcCommonUtils.clientSecret(config.credentials); + if (encSecret == null) { + LOG.debug("Client secret is not configured, " + + "trying to use the configured 'client_jwt_secret' secret"); + encSecret = OidcCommonUtils.jwtSecret(config.credentials); + } } try { if (encSecret == null) { - LOG.warn("Secret key for encrypting tokens is missing, auto-generating it"); + LOG.warn("Secret key for encrypting tokens in a session cookie is missing, auto-generating it"); KeyGenerator keyGenerator = KeyGenerator.getInstance("AES"); keyGenerator.init(256); return keyGenerator.generateKey(); } byte[] secretBytes = encSecret.getBytes(StandardCharsets.UTF_8); if (secretBytes.length < 32) { - LOG.warn("Secret key for encrypting tokens should be 32 characters long"); + String errorMessage = "Secret key for encrypting tokens in a session cookie should be at least 32 characters long" + + " for the strongest cookie encryption be produced." + + " Please configure 'quarkus.oidc.token-state-manager.encryption-secret'" + + " or update the configured client secret. You can disable the session cookie" + + " encryption with 'quarkus.oidc.token-state-manager.encryption-required=false'" + + " but only if it is considered to be safe in your application's network."; + if (secretBytes.length < 16) { + LOG.warn(errorMessage); + } else { + LOG.debug(errorMessage); + } } return new SecretKeySpec(OidcUtils.getSha256Digest(secretBytes), "AES"); } catch (Exception ex) {