Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC: The oidc security configuration cookie-encryption-enabled default to false is not working. #8815

Closed
pavankumar1986 opened this issue May 30, 2024 · 4 comments
Closed

OIDC: The oidc security configuration cookie-encryption-enabled default to false is not working. #8815

pavankumar1986 opened this issue May 30, 2024 · 4 comments
Assignees
@Verdent
Labels
4.x Version 4.x security triage

Comments

@pavankumar1986
Copy link

Environment Details

  • Helidon Version: 4.0.7
  • Helidon SE or Helidon MP : MP
  • JDK version: 21
  • OS: Linux
  • Docker version (if applicable): Kubernetes

Problem Description

[//]: # The oidc security config cookie-encryption-enabled, which as supposed to be disabled (default to false). Is not working and which is invoking the cookie encrypt/decrypt resulting in {"code":500,"message":"Failed to decrypt the message","timeStamp":"2024-05-30T08:00:24.851324232Z"}
[//]: # Yes its easily reproducible

I have tried setting cookie-encryption-enabled to false explicitly also, it does not work.

Steps to reproduce

[//]: # Setup and helidon application MP with defaults, oidc=idcs server. Not this happens in kubernetes env only. If ran as main program it works fine.
[//]: # Build a secured rest API and invoke it, it shall be resulting in
{"code":500,"message":"Failed to decrypt the message","timeStamp":"2024-05-30T08:00:24.851324232Z"}
@barchetta barchetta modified the milestone: 4.0.10 Jun 6, 2024
@Verdent
Copy link
Member

Verdent commented Aug 14, 2024
edited
Loading

Hi @pavankumar1986 ,
I believe that the failure is not caused by access token value encryption (mentioned cookie-encryption-enabled ), but rather other cookies we are using. You can either disable encryption for each cookie individually or set your master password for cookie encryption. That should do the trick.

cookie-encryption-password=ChangeThisToYourPassword

Please let me know if this helped.

@pavankumar1986
Copy link
Author

As per the documentation the cookie encryption shall be default to false. But since the cookie encryption is being set to true by default, we are forced to give an encryption key.

@Verdent
Copy link
Member

Verdent commented Aug 14, 2024
edited
Loading

Are you absolutely sure access token cookie encryption is set to true? I mean cookie-encryption-enabled affects only access token encryption and it is the only one, which is set to false by default. It does not affect any other cookies. And yes, those are set to true by default. You can disable the encryption for each cookie separately, but it is not advised to do so due to the security reasons.

@Verdent
Copy link
Member

Verdent commented Sep 19, 2024

Works as intended. Please, reopen if I am mistaken.

@Verdent Verdent closed this as completed Sep 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Verdent Verdent

Labels
4.x Version 4.x security triage
Projects
Backlog
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Verdent @barchetta @m0mus @pavankumar1986