From dbf6324da0e00072c91f9a432839c01aae8f515a Mon Sep 17 00:00:00 2001 From: Sergey Beryozkin Date: Sat, 15 Jul 2023 18:29:00 +0100 Subject: [PATCH] Add another hint how to decrease OIDC session cookie size --- .../io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java index 435cefdf313d0..0104dc8dc68ed 100644 --- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java +++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java @@ -870,7 +870,9 @@ public Void apply(String cookieValue) { + " to have the ID, access and refresh tokens stored in separate cookies." + " 2. Set 'quarkus.oidc.token-state-manager.strategy=id-refresh-tokens' if you do not need to use the access token" + " as a source of roles or to request UserInfo or propagate it to the downstream services." - + " 3. Register a custom 'quarkus.oidc.TokenStateManager' CDI bean with the alternative priority set to 1.", + + " 3. Decrease the session cookie's length by disabling its encryption with 'quarkus.oidc.token-state-manager.encryption-required=false'" + + " but only if it is considered to be safe in your application's network." + + " 4. Register a custom 'quarkus.oidc.TokenStateManager' CDI bean with the alternative priority set to 1.", configContext.oidcConfig.tenantId.get(), MAX_COOKIE_VALUE_LENGTH); }