Split OIDC session cookie if its size is more than 4KB #37891
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gastaldi
approved these changes
Dec 21, 2023
|
✔️ The latest workflow run for the pull request has completed successfully. It should be safe to merge provided you have a look at the other checks in the summary. |
|
Thanks @gastaldi, I'll merge early in Jan, 3rd or 4th Jan, as I'll be off the week starting 8th Jan, Pedro should be back on 2nd Jan so there will be an option for him to comment during those 2 days. Happy Holidays |
9 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #37836.
This PR will probably be of most help to many users, as mentioned in #37836, quite often, now that the session cookie is encrypted by default, users will get a warning that the encrypted cookie (which typically has 3 tokens concatenated, ID, access and refresh tokens, with ID one taking anything up to 4K and sometimes more in a clear form) is more than 4K.
Next, the users have to choose what to do - we offer many options, but it really can be a bit annoying and sometimes difficult to decide upon - they may have to make a decision to disable the encryption or use the stateful approach with quarkus-oidc-db-token-state-manager, etc.
So this PR simply makes sure it always works by splitting a session cookie into chunks if it exceeds 4K, as for example, done by ASP.NET (as noted at https://stackoverflow.com/questions/77660268/quarkus-oidc-session-cookie-limit) and possibly by some other stacks. Users will still be able to use the other supported options if they prefer.
While the changes look quite extensive, no OIDC logic is affected at all, it is all about making sure that if a session cookie length is greater than 4K, it will be split into chunks and then correctly assembled into a single value, and correctly removed.
I've added a unit test and also fixed/updated a few integration tests which have already been operating with session cookies with the length > 4K, it is just that HtmlUnit does not enforce a 4K limit.
In reality, I believe, we'll ever get up to 2 chunks, cases where we can have cookies up to 20K or so would be extremely rare but nonetheless I've updated the code to deal with a random unsorted number of cookies.
If it can make it to 3.7 it would be great