Merge pull request #34073 from sberyozkin/oidc_same_site_all_session_cookies

Add configured SameSite attribute to all OIDC session cookies

Author: gastaldi

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTokenStateManager.java

@@ -39,13 +39,13 @@ public Uni<String> createTokenState(RoutingContext routingContext, OidcTenantCon
                         oidcConfig,
                         getAccessTokenCookieName(oidcConfig),
                         encryptToken(tokens.getAccessToken(), routingContext, oidcConfig),
-                        routingContext.get(CodeAuthenticationMechanism.SESSION_MAX_AGE_PARAM));
+                        routingContext.get(CodeAuthenticationMechanism.SESSION_MAX_AGE_PARAM), true);
                 if (tokens.getRefreshToken() != null) {
                     CodeAuthenticationMechanism.createCookie(routingContext,
                             oidcConfig,
                             getRefreshTokenCookieName(oidcConfig),
                             encryptToken(tokens.getRefreshToken(), routingContext, oidcConfig),
-                            routingContext.get(CodeAuthenticationMechanism.SESSION_MAX_AGE_PARAM));
+                            routingContext.get(CodeAuthenticationMechanism.SESSION_MAX_AGE_PARAM), true);
                 }
             }
         } else if (oidcConfig.tokenStateManager.strategy == OidcTenantConfig.TokenStateManager.Strategy.ID_REFRESH_TOKENS) {

integration-tests/oidc-code-flow/src/main/resources/application.properties

@@ -147,6 +147,7 @@ quarkus.oidc.tenant-split-tokens.credentials.secret=secret
 quarkus.oidc.tenant-split-tokens.token-state-manager.split-tokens=true
 quarkus.oidc.tenant-split-tokens.token-state-manager.encryption-secret=eUk1p7UB3nFiXZGUXi0uph1Y9p34YhBU
 quarkus.oidc.tenant-split-tokens.application-type=web-app
+quarkus.oidc.tenant-split-tokens.authentication.cookie-same-site=strict
 
 quarkus.http.auth.permission.roles1.paths=/index.html
 quarkus.http.auth.permission.roles1.policy=authenticated

integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java

@@ -936,12 +936,15 @@ public void testDefaultSessionManagerSplitTokens() throws IOException, Interrupt
 
             final String decryptSecret = "eUk1p7UB3nFiXZGUXi0uph1Y9p34YhBU";
             Cookie idTokenCookie = getSessionCookie(page.getWebClient(), "tenant-split-tokens");
+            assertEquals("strict", idTokenCookie.getSameSite());
             checkSingleTokenCookie(idTokenCookie, "ID", decryptSecret);
 
             Cookie atTokenCookie = getSessionAtCookie(page.getWebClient(), "tenant-split-tokens");
+            assertEquals("strict", atTokenCookie.getSameSite());
             checkSingleTokenCookie(atTokenCookie, "Bearer", decryptSecret);
 
             Cookie rtTokenCookie = getSessionRtCookie(page.getWebClient(), "tenant-split-tokens");
+            assertEquals("strict", rtTokenCookie.getSameSite());
             checkSingleTokenCookie(rtTokenCookie, "Refresh", decryptSecret);
 
             // verify all the cookies are cleared after the session timeout
@@ -1023,11 +1026,6 @@ public Boolean call() throws Exception {
         }
     }
 
-    private void checkSingleTokenCookie(Cookie tokenCookie, String type) {
-        checkSingleTokenCookie(tokenCookie, type, null);
-
-    }
-
     private void checkSingleTokenCookie(Cookie tokenCookie, String type, String decryptSecret) {
         String[] cookieParts = tokenCookie.getValue().split("\\|");
         assertEquals(1, cookieParts.length);