From 1501eb871a2081b5ef6dbacb6fe912fb4582a13b Mon Sep 17 00:00:00 2001 From: Sergey Beryozkin Date: Thu, 2 Feb 2023 18:55:59 +0000 Subject: [PATCH] Make OIDC session cookie same site lax by default --- .../src/main/java/io/quarkus/oidc/OidcTenantConfig.java | 4 ++-- .../oidc-code-flow/src/main/resources/application.properties | 2 +- .../src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java index ebe214e2d7ea3..d31a0acd5cda4 100644 --- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java +++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java @@ -769,8 +769,8 @@ public enum ResponseMode { /** * SameSite attribute for the session cookie. */ - @ConfigItem(defaultValue = "strict") - public CookieSameSite cookieSameSite = CookieSameSite.STRICT; + @ConfigItem(defaultValue = "lax") + public CookieSameSite cookieSameSite = CookieSameSite.LAX; /** * If this property is set to 'true' then an OIDC UserInfo endpoint will be called. diff --git a/integration-tests/oidc-code-flow/src/main/resources/application.properties b/integration-tests/oidc-code-flow/src/main/resources/application.properties index e0165d8c3a2f2..21aee9df70ca6 100644 --- a/integration-tests/oidc-code-flow/src/main/resources/application.properties +++ b/integration-tests/oidc-code-flow/src/main/resources/application.properties @@ -107,7 +107,7 @@ quarkus.oidc.tenant-https.authentication.cookie-suffix=test quarkus.oidc.tenant-https.authentication.error-path=/tenant-https/error quarkus.oidc.tenant-https.authentication.pkce-required=true quarkus.oidc.tenant-https.authentication.pkce-secret=eUk1p7UB3nFiXZGUXi0uph1Y9p34YhBU -quarkus.oidc.tenant-https.authentication.cookie-same-site=lax +quarkus.oidc.tenant-https.authentication.cookie-same-site=strict quarkus.oidc.tenant-javascript.auth-server-url=${quarkus.oidc.auth-server-url} quarkus.oidc.tenant-javascript.client-id=quarkus-app diff --git a/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java b/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java index 67f549bef42b0..bddaa98eeeb00 100644 --- a/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java +++ b/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java @@ -95,7 +95,7 @@ public void testCodeFlowNoConsent() throws IOException { Cookie sessionCookie = getSessionCookie(webClient, null); assertNotNull(sessionCookie); - assertEquals("strict", sessionCookie.getSameSite()); + assertEquals("lax", sessionCookie.getSameSite()); webClient.getCookieManager().clearCookies(); } @@ -220,7 +220,7 @@ public void testCodeFlowForceHttpsRedirectUriAndPkce() throws Exception { assertEquals("tenant-https:reauthenticated", page.getBody().asNormalizedText()); Cookie sessionCookie = getSessionCookie(webClient, "tenant-https_test"); assertNotNull(sessionCookie); - assertEquals("lax", sessionCookie.getSameSite()); + assertEquals("strict", sessionCookie.getSameSite()); webClient.getCookieManager().clearCookies(); } }