Merge pull request quarkusio#34773 from sberyozkin/encrypted_session_…

…warning_update Add another hint how to decrease OIDC session cookie size
bcluap · Jul 17, 2023 · d903356 · d903356
2 parents 71dbe87 + dbf6324
commit d903356
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/...sions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java b/...sions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java
@@ -899,7 +899,9 @@ public Void apply(String cookieValue) {
                                                             + " to have the ID, access and refresh tokens stored in separate cookies."
                                                             + " 2. Set 'quarkus.oidc.token-state-manager.strategy=id-refresh-tokens' if you do not need to use the access token"
                                                             + " as a source of roles or to request UserInfo or propagate it to the downstream services."
-                                                            + " 3. Register a custom 'quarkus.oidc.TokenStateManager' CDI bean with the alternative priority set to 1.",
+                                                            + " 3. Decrease the session cookie's length by disabling its encryption with 'quarkus.oidc.token-state-manager.encryption-required=false'"
+                                                            + " but only if it is considered to be safe in your application's network."
+                                                            + " 4. Register a custom 'quarkus.oidc.TokenStateManager' CDI bean with the alternative priority set to 1.",
                                                     configContext.oidcConfig.tenantId.get(),
                                                     MAX_COOKIE_VALUE_LENGTH);
                                         }