quarkusio · gastaldi · Jun 15, 2023 · Jun 15, 2023
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTokenStateManager.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTokenStateManager.java
@@ -39,13 +39,13 @@ public Uni<String> createTokenState(RoutingContext routingContext, OidcTenantCon
                         oidcConfig,
                         getAccessTokenCookieName(oidcConfig),
                         encryptToken(tokens.getAccessToken(), routingContext, oidcConfig),
-                        routingContext.get(CodeAuthenticationMechanism.SESSION_MAX_AGE_PARAM));
+                        routingContext.get(CodeAuthenticationMechanism.SESSION_MAX_AGE_PARAM), true);
                 if (tokens.getRefreshToken() != null) {
                     CodeAuthenticationMechanism.createCookie(routingContext,
                             oidcConfig,
                             getRefreshTokenCookieName(oidcConfig),
                             encryptToken(tokens.getRefreshToken(), routingContext, oidcConfig),
-                            routingContext.get(CodeAuthenticationMechanism.SESSION_MAX_AGE_PARAM));
+                            routingContext.get(CodeAuthenticationMechanism.SESSION_MAX_AGE_PARAM), true);
                 }
             }
         } else if (oidcConfig.tokenStateManager.strategy == OidcTenantConfig.TokenStateManager.Strategy.ID_REFRESH_TOKENS) {

diff --git a/integration-tests/oidc-code-flow/src/main/resources/application.properties b/integration-tests/oidc-code-flow/src/main/resources/application.properties
@@ -147,6 +147,7 @@ quarkus.oidc.tenant-split-tokens.credentials.secret=secret
 quarkus.oidc.tenant-split-tokens.token-state-manager.split-tokens=true
 quarkus.oidc.tenant-split-tokens.token-state-manager.encryption-secret=eUk1p7UB3nFiXZGUXi0uph1Y9p34YhBU
 quarkus.oidc.tenant-split-tokens.application-type=web-app
+quarkus.oidc.tenant-split-tokens.authentication.cookie-same-site=strict
 
 quarkus.http.auth.permission.roles1.paths=/index.html
 quarkus.http.auth.permission.roles1.policy=authenticated

diff --git a/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java b/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java
@@ -936,12 +936,15 @@ public void testDefaultSessionManagerSplitTokens() throws IOException, Interrupt
 
             final String decryptSecret = "eUk1p7UB3nFiXZGUXi0uph1Y9p34YhBU";
             Cookie idTokenCookie = getSessionCookie(page.getWebClient(), "tenant-split-tokens");
+            assertEquals("strict", idTokenCookie.getSameSite());
             checkSingleTokenCookie(idTokenCookie, "ID", decryptSecret);
 
             Cookie atTokenCookie = getSessionAtCookie(page.getWebClient(), "tenant-split-tokens");
+            assertEquals("strict", atTokenCookie.getSameSite());
             checkSingleTokenCookie(atTokenCookie, "Bearer", decryptSecret);
 
             Cookie rtTokenCookie = getSessionRtCookie(page.getWebClient(), "tenant-split-tokens");
+            assertEquals("strict", rtTokenCookie.getSameSite());
             checkSingleTokenCookie(rtTokenCookie, "Refresh", decryptSecret);
 
             // verify all the cookies are cleared after the session timeout
@@ -1023,11 +1026,6 @@ public Boolean call() throws Exception {
         }
     }
 
-    private void checkSingleTokenCookie(Cookie tokenCookie, String type) {
-        checkSingleTokenCookie(tokenCookie, type, null);
-
-    }
-
     private void checkSingleTokenCookie(Cookie tokenCookie, String type, String decryptSecret) {
         String[] cookieParts = tokenCookie.getValue().split("\\|");
         assertEquals(1, cookieParts.length);