Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Warn when an OIDC session cookie exceeds 4096 bytes #20431

Merged
merged 1 commit into from
Sep 28, 2021
Merged

Warn when an OIDC session cookie exceeds 4096 bytes #20431

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 15 additions & 2 deletions ...sions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ public class CodeAuthenticationMechanism extends AbstractOidcAuthenticationMecha
static final String SESSION_COOKIE_NAME = "q_session";
static final String SESSION_MAX_AGE_PARAM = "session-max-age";
static final Uni<Void> VOID_UNI = Uni.createFrom().voidItem();
static final Integer MAX_COOKIE_VALUE_LENGTH = 4096;

private static final Logger LOG = Logger.getLogger(CodeAuthenticationMechanism.class);

Expand Down Expand Up @@ -388,9 +389,21 @@ public Uni<? extends Void> apply(Void t) {

@Override
public Void apply(String cookieValue) {
createCookie(context, configContext.oidcConfig,
String sessionCookie = createCookie(context, configContext.oidcConfig,
getSessionCookieName(configContext.oidcConfig),
cookieValue, sessionMaxAge);
cookieValue, sessionMaxAge).getValue();
if (sessionCookie.length() >= MAX_COOKIE_VALUE_LENGTH) {
LOG.warnf(
"Session cookie length for the tenant %s is equal or greater than %d bytes."
+ " Browsers may ignore this cookie which will cause a new challenge for the authenticated users."
+ " Recommendations: 1. Set 'quarkus.oidc.token-state-manager.split-tokens=true'"
+ " to have the ID, access and refresh tokens stored in separate cookies."
+ " 2. Set 'quarkus.oidc.token-state-manager.strategy=id-refresh-tokens' if you do not need to use the access token"
+ " as a source of roles or to request UserInfo or propagate it to the downstream services."
+ " 3. Register a custom 'quarkus.oidc.TokenStateManager' CDI bean with the alternative priority set to 1.",
configContext.oidcConfig.tenantId.get(),
MAX_COOKIE_VALUE_LENGTH);
}
fireEvent(SecurityEvent.Type.OIDC_LOGIN, securityIdentity);
return null;
}
Expand Down