diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTokenStateManager.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTokenStateManager.java index 19623c965c0cd..bc66480aa59fb 100644 --- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTokenStateManager.java +++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTokenStateManager.java @@ -39,13 +39,13 @@ public Uni createTokenState(RoutingContext routingContext, OidcTenantCon oidcConfig, getAccessTokenCookieName(oidcConfig), encryptToken(tokens.getAccessToken(), routingContext, oidcConfig), - routingContext.get(CodeAuthenticationMechanism.SESSION_MAX_AGE_PARAM)); + routingContext.get(CodeAuthenticationMechanism.SESSION_MAX_AGE_PARAM), true); if (tokens.getRefreshToken() != null) { CodeAuthenticationMechanism.createCookie(routingContext, oidcConfig, getRefreshTokenCookieName(oidcConfig), encryptToken(tokens.getRefreshToken(), routingContext, oidcConfig), - routingContext.get(CodeAuthenticationMechanism.SESSION_MAX_AGE_PARAM)); + routingContext.get(CodeAuthenticationMechanism.SESSION_MAX_AGE_PARAM), true); } } } else if (oidcConfig.tokenStateManager.strategy == OidcTenantConfig.TokenStateManager.Strategy.ID_REFRESH_TOKENS) { diff --git a/integration-tests/oidc-code-flow/src/main/resources/application.properties b/integration-tests/oidc-code-flow/src/main/resources/application.properties index f1b6627678b49..ef7d0fa28bd28 100644 --- a/integration-tests/oidc-code-flow/src/main/resources/application.properties +++ b/integration-tests/oidc-code-flow/src/main/resources/application.properties @@ -147,6 +147,7 @@ quarkus.oidc.tenant-split-tokens.credentials.secret=secret quarkus.oidc.tenant-split-tokens.token-state-manager.split-tokens=true quarkus.oidc.tenant-split-tokens.token-state-manager.encryption-secret=eUk1p7UB3nFiXZGUXi0uph1Y9p34YhBU quarkus.oidc.tenant-split-tokens.application-type=web-app +quarkus.oidc.tenant-split-tokens.authentication.cookie-same-site=strict quarkus.http.auth.permission.roles1.paths=/index.html quarkus.http.auth.permission.roles1.policy=authenticated diff --git a/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java b/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java index 9637fd1b762b6..550c9fdef0d25 100644 --- a/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java +++ b/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java @@ -936,12 +936,15 @@ public void testDefaultSessionManagerSplitTokens() throws IOException, Interrupt final String decryptSecret = "eUk1p7UB3nFiXZGUXi0uph1Y9p34YhBU"; Cookie idTokenCookie = getSessionCookie(page.getWebClient(), "tenant-split-tokens"); + assertEquals("strict", idTokenCookie.getSameSite()); checkSingleTokenCookie(idTokenCookie, "ID", decryptSecret); Cookie atTokenCookie = getSessionAtCookie(page.getWebClient(), "tenant-split-tokens"); + assertEquals("strict", atTokenCookie.getSameSite()); checkSingleTokenCookie(atTokenCookie, "Bearer", decryptSecret); Cookie rtTokenCookie = getSessionRtCookie(page.getWebClient(), "tenant-split-tokens"); + assertEquals("strict", rtTokenCookie.getSameSite()); checkSingleTokenCookie(rtTokenCookie, "Refresh", decryptSecret); // verify all the cookies are cleared after the session timeout @@ -1023,11 +1026,6 @@ public Boolean call() throws Exception { } } - private void checkSingleTokenCookie(Cookie tokenCookie, String type) { - checkSingleTokenCookie(tokenCookie, type, null); - - } - private void checkSingleTokenCookie(Cookie tokenCookie, String type, String decryptSecret) { String[] cookieParts = tokenCookie.getValue().split("\\|"); assertEquals(1, cookieParts.length);