Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add encryption secret to configuration #40969

Merged
merged 1 commit into from
Jun 17, 2024
Merged

Add encryption secret to configuration #40969

merged 1 commit into from
Jun 17, 2024

Conversation

Brutus5000
Copy link

Not setting an encryption-secret can cause unexpected behaviour. Each restart, even from hot reload, will pick a new encryption secret otherwise, invalidating existing logins. This is a very annoying behaviour during development.

@quarkus-bot quarkus-bot bot added area/docstyle issues related for manual docstyle review area/documentation labels Jun 4, 2024
@quarkus-bot quarkus-bot

This comment has been minimized.

Sign in to view
@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 4, 2024
edited
Loading

🙈 The PR is closed and the preview is expired.

@geoand geoand requested a review from sberyozkin June 5, 2024 07:03
sberyozkin
sberyozkin reviewed Jun 6, 2024
View reviewed changes
Copy link
Member

@sberyozkin sberyozkin left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Brutus5000, can you clarify something, do you have a client secret setup in your case ?
The note you added is informative but it is only relevant if no fallback to the client secret exists.

Perhaps we should add a note instead explaining it ?

I will continue the review next week since I'm on PTO
Thanks

@Brutus5000
Copy link
Author

@sberyozkin No, I have not set this up, as the OAuth client I use does not require/have a secret.

@sberyozkin
Copy link
Member

@Brutus5000 OK, thanks for the confirmation. This is why I suggest to have a dedicated note, as opposed to adding the encryption secret property to this demo's configuration which already has a client secret fallback.

Something like this, at the end of that section where the demo properties are introduced/explained:

[NOTE]
====
When you do not configure a client secret with `quarkus.oidc.credentials.secret`,  it is recommended to configure `quarkus.oidc.token-state-manager.encryption-secret`.

The `quarkus.oidc.token-state-manager.encryption-secret` enables the default token state manager to encrypt the user tokens in a browser cookie. If this key is not defined, and the `quarkus.oidc.credentials.secret` fallback is not configured, Quarkus uses a random key. A random key causes existing logins to be invalidated either on application restart or in environment with multiple instances of your application. Alternatively, encryption can also be disabled by setting `quarkus.oidc.token-state-manager.encryption-required` to `false`. However, you should disable secret encryption in development environments only.

The encryption secret is recommended to be 32 chars long. For example, `quarkus.oidc.token-state-manager.encryption-secret=AyM1SysPpbyDfgZld3umj1qzKObwVMk`
====

Does it sound reasonable to you ?

@gastaldi gastaldi added the triage/needs-feedback We are waiting for feedback. label Jun 15, 2024
@Brutus5000 Brutus5000 force-pushed the patch-1 branch 2 times, most recently from b536ef8 to 6440f49 Compare June 17, 2024 16:15
@Brutus5000
Copy link
Author

@sberyozkin I adjusted the commit accordingly.

@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented Jun 17, 2024

Status for workflow Quarkus Documentation CI

This is the status report for running Quarkus Documentation CI on commit 60534ab.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

sberyozkin
sberyozkin approved these changes Jun 17, 2024
View reviewed changes
Copy link
Member

@sberyozkin sberyozkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Brutus5000

@sberyozkin sberyozkin merged commit 79dbe9f into quarkusio:main Jun 17, 2024
5 checks passed
@quarkus-bot quarkus-bot bot added this to the 3.13 - main milestone Jun 17, 2024
@gsmet gsmet modified the milestones: 3.13 - main, 3.12.0 Jun 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sberyozkin sberyozkin sberyozkin approved these changes

Assignees
No one assigned
Labels
area/docstyle issues related for manual docstyle review area/documentation triage/needs-feedback We are waiting for feedback.
Projects
Quarkus Documentation
Status: Done
Milestone
3.12.0
Development

Successfully merging this pull request may close these issues.
4 participants
@Brutus5000 @sberyozkin @gastaldi @gsmet