From 48ba32b8613890045a9ae42553df0db5ed2b07ef Mon Sep 17 00:00:00 2001 From: sberyozkin Date: Mon, 11 Jan 2021 16:16:17 +0000 Subject: [PATCH] Update docs/src/main/asciidoc/security-openid-connect-web-authentication.adoc Co-authored-by: George Gastaldi --- .../asciidoc/security-openid-connect-web-authentication.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/src/main/asciidoc/security-openid-connect-web-authentication.adoc b/docs/src/main/asciidoc/security-openid-connect-web-authentication.adoc index 3b8d5772da7fe8..dbe4f60c8d76fa 100644 --- a/docs/src/main/asciidoc/security-openid-connect-web-authentication.adoc +++ b/docs/src/main/asciidoc/security-openid-connect-web-authentication.adoc @@ -371,7 +371,7 @@ Note this user session can not be extended forever - the returning user with the OIDC `CodeAuthenticationMechanism` is using the default `io.quarkus.oidc.TokenStateManager' interface implementation to keep the ID, access and refresh tokens returned in the authorization code or refresh grant responses in a session cookie. It makes Quarkus OIDC endpoints completely stateless. -Note that some endpoints do not require the access token. Access token is only required if the endpoint needs to retrieve `UserInfo` or access the downstream service with this access token or use the roles in the access token (the roles in the ID token are checked by default). In such cases you can set either `quarkus.oidc.state-session-manager.stategy=id-refresh-token` (keep ID and refresh tokens only) or `quarkus.oidc.state-session-manager.stategy=id-token` (keep ID token only). +Note that some endpoints do not require the access token.An access token is only required if the endpoint needs to retrieve `UserInfo` or access the downstream service with this access token or use the roles associated with the access token (the roles in the ID token are checked by default). In such cases you can set either `quarkus.oidc.state-session-manager.strategy=id-refresh-token` (keep ID and refresh tokens only) or `quarkus.oidc.state-session-manager.strategy=id-token` (keep ID token only). If the ID, access and refresh tokens are JWT tokens then combining all of them (if the strategy is the default `keep-all-tokens`) or only ID and refresh tokens (if the strategy is `id-refresh-token`) may produce a session cookie value larger than 4KB and the browsers may not be able to keep this cookie. In such cases, you can use `quarkus.oidc.token-state-manager.split-tokens=true` to have a unique session token per each of these tokens.