Support for splitting OIDC session cookie into chunks #37836
Labels
Milestone
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
This enhancement request is related to https://stackoverflow.com/questions/77660268/quarkus-oidc-session-cookie-limit and is about addressing the same problem that #37785 tries to address, but in a more general way.
The problem is that when ID token is really large, then, even if we configure OIDC not to store all the tokens in the session cookie and instead have one cookie for ID token, and 2 more cookies for access and refresh tokens, the encrypted session cookie containing ID token only will still be larger than 4K. So when it happens, as mentioned in #37785, a warning is logged and users have to choose other options like store tokens in DB (Quarkus provides an extension to support it), or disable the encryption.
However one more option is available, mentioned in the 1st comment at https://stackoverflow.com/questions/77660268/quarkus-oidc-session-cookie-limit, split the session cookie into chunks.
Implementation ideas
Split the session cookie into chunks, for example, q_session_1, q_session_2, etc.
The text was updated successfully, but these errors were encountered: