Merge pull request #51220 from sberyozkin/oidc_custom_providers_encrypt_tokens

Encrypt OIDC tokens for custom TokenStateManager implementations

Author: sberyozkin

docs/src/main/asciidoc/security-oidc-expanded-configuration.adoc

@@ -604,14 +604,14 @@ Currently, only a `Cache-Control` `no-store` directive that prohibits caching th
 After the authorization code flow is finished, ID token, access token, and refresh token must be retained to support the user session.
 
 By defaut, Quarkus OIDC stores all three tokens in an encrypted session cookie, making Quarkus OIDC stateless.
-Quarkus OIDC also provides the stateful xref:security-oidc-code-flow-authentication.adoc#db-token-state-manager[Database TokenStateManager] to store tokens in your database of choice and the xref:security-oidc-code-flow-authentication.adoc#redis-token-state-manager[Redis TokenStateManager] to store them in the Redis cache. Users can also register custom `quarkus.oidc.TokenStateManager` to store these tokens as required.
+Quarkus OIDC also provides the stateful xref:security-oidc-code-flow-authentication.adoc#db-token-state-manager[Database TokenStateManager] to store tokens in your database of choice and the xref:security-oidc-code-flow-authentication.adoc#redis-token-state-manager[Redis TokenStateManager] to store them in the Redis cache. Users can also register custom `io.quarkus.oidc.TokenStateManager` to store these tokens as required.
 
 .Default TokenStateManager
 [options="header"]
 |====
 |Property | Default |Description
 
-|quarkus.oidc.token-state-manager.encryption-required |true| Encrypt session cookie by default
+|quarkus.oidc.token-state-manager.encryption-required |true| Encrypt session cookie by default, also see the note below
 |quarkus.oidc.token-state-manager.encryption-secret || Encryption secret, with falling back to the client secret and finally a generated secret key
 |quarkus.oidc.token-state-manager.encryption-algorithm |A256GCMKW| Encryption algorithm
 |quarkus.oidc.token-state-manager.split-tokens |false| Cookie per token
@@ -632,6 +632,15 @@ For example, you can do `quarkus.oidc.token-state-manager.strategy=id-refresh-to
 
 If your application does not need to use access tokens but only interact with the authenticated user who must always re-authenticate when the session expires, consider `quarkus.oidc.token-state-manager.strategy=idtoken` - which retains ID token only, ignoring both access and refresh tokens.
 
+[NOTE]
+====
+`quarkus.oidc.token-state-manager.encryption-required` and two other related properties, `quarkus.oidc.token-state-manager.encryption-secret` and `quarkus.oidc.token-state-manager.encryption-algorithm`, are also effective when custom `io.quarkus.oidc.TokenStateManager` is used, including xref:security-oidc-code-flow-authentication.adoc#db-token-state-manager[Database TokenStateManager] and xref:security-oidc-code-flow-authentication.adoc#redis-token-state-manager[Redis TokenStateManager]. 
+
+Given that `quarkus.oidc.token-state-manager.encryption-required` is set to `true` by default, a custom `io.quarkus.oidc.TokenStateManager` implementation must encrypt tokens before storing them by default. However, it does not have to encrypt tokens itself, they will be encrypted by the time it is asked to store them.
+
+A custom `io.quarkus.oidc.TokenStateManager` implementation that does not want tokens encrypted by default can disable it with `quarkus.oidc.token-state-manager.encryption-required=false`.
+====
+
 [[logout-properties]]
 == Logout
 
@@ -1231,7 +1240,7 @@ You can register a `quarkus.oidc.UserInfoCache` provider to support a custom `Us
 === TokenStateManager
 
 As discussed in the <<token-state-manager>> section above, Quarkus OIDC already provides stateless (default) and stateful options for storing  authorization code flow tokens.
-You can also provide your own custom `quarkus.oidc.TokenStateManager` implementation.
+You can also provide your own custom `io.quarkus.oidc.TokenStateManager` implementation.
 
 === Request, response and redirect filters
 

extensions/oidc-db-token-state-manager/deployment/src/main/java/io/quarkus/oidc/db/token/state/manager/OidcDbTokenStateManagerProcessor.java

@@ -151,9 +151,9 @@ SyntheticBeanBuildItem createDbTokenStateInitializerProps(ReactiveSqlClientBuild
             case REACTIVE_DB2_CLIENT:
                 createTableDdl = "CREATE TABLE oidc_db_token_state_manager ("
                         + "id VARCHAR(100) NOT NULL PRIMARY KEY, "
-                        + "id_token VARCHAR(4000), "
-                        + "access_token VARCHAR(4000), "
-                        + "refresh_token VARCHAR(4000), "
+                        + "id_token VARCHAR(5000), "
+                        + "access_token VARCHAR(5000), "
+                        + "refresh_token VARCHAR(5000), "
                         + "access_token_expires_in BIGINT, "
                         + "access_token_scope VARCHAR(100), "
                         + "expires_in BIGINT NOT NULL)";
@@ -162,9 +162,9 @@ SyntheticBeanBuildItem createDbTokenStateInitializerProps(ReactiveSqlClientBuild
             case REACTIVE_ORACLE_CLIENT:
                 createTableDdl = "CREATE TABLE IF NOT EXISTS oidc_db_token_state_manager ("
                         + "id VARCHAR2(100), "
-                        + "id_token VARCHAR2(4000), "
-                        + "access_token VARCHAR2(4000), "
-                        + "refresh_token VARCHAR2(4000), "
+                        + "id_token VARCHAR2(5000), "
+                        + "access_token VARCHAR2(5000), "
+                        + "refresh_token VARCHAR2(5000), "
                         + "access_token_expires_in NUMBER, "
                         + "access_token_scope VARCHAR2(100), "
                         + "expires_in NUMBER NOT NULL, "

extensions/oidc-db-token-state-manager/deployment/src/test/java/io/quarkus/oidc/db/token/state/manager/AbstractDbTokenStateManagerTest.java

@@ -75,6 +75,7 @@ public void testCodeFlow() throws IOException {
                     textPage.getContent());
 
             assertTokenStateCount(1);
+            assertTokensAreEncryptedInDB();
 
             webClient.getOptions().setRedirectEnabled(false);
             WebResponse webResponse = webClient
@@ -97,6 +98,22 @@ protected static void assertTokenStateCount(Integer tokenStateCount) {
                 .body(Matchers.is(tokenStateCount.toString()));
     }
 
+    protected void assertTokensAreEncryptedInDB() {
+        String expectedTokenEncryptionStatus = """
+                id token encrypted: %1$s, access token encrypted: %1$s, refresh token encrypted: %1$s
+                """.formatted(tokenEncryptionStatus()).trim();
+        RestAssured
+                .given()
+                .get("public/db-state-manager-tokens")
+                .then()
+                .statusCode(200)
+                .body(Matchers.is(expectedTokenEncryptionStatus));
+    }
+
+    protected boolean tokenEncryptionStatus() {
+        return true;
+    }
+
     protected static WebClient createWebClient() {
         WebClient webClient = new WebClient();
         webClient.setCssErrorHandler(new SilentCssErrorHandler());

extensions/oidc-db-token-state-manager/deployment/src/test/java/io/quarkus/oidc/db/token/state/manager/HibernateOrmPgDbTokenStateManagerTest.java

@@ -68,6 +68,11 @@ public void testCodeFlowOnTableNotCreatedByExtension() throws IOException {
         }
     }
 
+    @Override
+    protected boolean tokenEncryptionStatus() {
+        return false;
+    }
+
     @Test
     public void testExpiredTokenDeletion() {
         assertTokenStateCount(0);

extensions/oidc-db-token-state-manager/deployment/src/test/java/io/quarkus/oidc/db/token/state/manager/PublicResource.java

@@ -8,6 +8,7 @@
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.Path;
 
+import io.quarkus.oidc.runtime.OidcUtils;
 import io.smallrye.mutiny.Uni;
 import io.vertx.sqlclient.Pool;
 import io.vertx.sqlclient.Row;
@@ -41,4 +42,30 @@ public Long apply(RowSet<Row> rows) {
                 .toCompletionStage());
     }
 
+    @Path("/db-state-manager-tokens")
+    @GET
+    public Uni<String> getDbStateManagerTokens() {
+        return Uni.createFrom().completionStage(pool
+                .query("SELECT id_token, access_token, refresh_token FROM oidc_db_token_state_manager")
+                .execute()
+                .map(new Function<RowSet<Row>, String>() {
+                    @Override
+                    public String apply(RowSet<Row> rows) {
+                        if (rows != null) {
+                            var iterator = rows.iterator();
+                            if (iterator.hasNext()) {
+                                Row row = iterator.next();
+                                return """
+                                        id token encrypted: %b, access token encrypted: %b, refresh token encrypted: %b
+                                        """.formatted(OidcUtils.isEncryptedToken(row.getString(0)),
+                                        OidcUtils.isEncryptedToken(row.getString(1)),
+                                        OidcUtils.isEncryptedToken(row.getString(2))).trim();
+                            }
+                        }
+                        return "";
+                    }
+                })
+                .toCompletionStage());
+    }
+
 }

extensions/oidc-db-token-state-manager/deployment/src/test/resources/hibernate-orm-application.properties

@@ -5,3 +5,6 @@ quarkus.log.category."org.htmlunit.javascript.host.css.CSSStyleSheet".level=FATA
 quarkus.log.category."org.htmlunit.css".level=FATAL
 quarkus.oidc.db-token-state-manager.delete-expired-delay=3
 quarkus.oidc.db-token-state-manager.create-database-table-if-not-exists=false
+quarkus.hibernate-orm.log.sql=true
+
+quarkus.oidc.token-state-manager.encryption-required=false

extensions/oidc/deployment/src/test/java/io/quarkus/oidc/test/CustomTokenStateManager.java

@@ -10,6 +10,7 @@
 import io.quarkus.oidc.OidcTenantConfig;
 import io.quarkus.oidc.TokenStateManager;
 import io.quarkus.oidc.runtime.DefaultTokenStateManager;
+import io.quarkus.oidc.runtime.OidcUtils;
 import io.smallrye.mutiny.Uni;
 import io.vertx.ext.web.RoutingContext;
 
@@ -24,7 +25,9 @@ public class CustomTokenStateManager implements TokenStateManager {
     @Override
     public Uni<String> createTokenState(RoutingContext routingContext, OidcTenantConfig oidcConfig,
             AuthorizationCodeTokens sessionContent, OidcRequestContext<String> requestContext) {
-        return tokenStateManager.createTokenState(routingContext, oidcConfig, sessionContent, requestContext)
+        return tokenStateManager.createTokenState(routingContext, oidcConfig,
+                OidcUtils.decryptTokens(routingContext, oidcConfig, sessionContent),
+                requestContext)
                 .map(t -> (t + "|custom"));
     }
 
@@ -35,7 +38,8 @@ public Uni<AuthorizationCodeTokens> getTokens(RoutingContext routingContext, Oid
             throw new IllegalStateException();
         }
         String defaultState = tokenState.substring(0, tokenState.length() - 7);
-        return tokenStateManager.getTokens(routingContext, oidcConfig, defaultState, requestContext);
+        return tokenStateManager.getTokens(routingContext, oidcConfig, defaultState, requestContext)
+                .map(t -> OidcUtils.encryptTokens(routingContext, oidcConfig, t));
     }
 
     @Override

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java

@@ -350,15 +350,16 @@ public Uni<AuthorizationCodeTokens> apply(Throwable t) {
                         })
                 .chain(new Function<AuthorizationCodeTokens, Uni<? extends SecurityIdentity>>() {
                     @Override
-                    public Uni<? extends SecurityIdentity> apply(AuthorizationCodeTokens session) {
-                        context.put(OidcConstants.ACCESS_TOKEN_VALUE, session.getAccessToken());
-                        context.put(AuthorizationCodeTokens.class.getName(), session);
+                    public Uni<? extends SecurityIdentity> apply(AuthorizationCodeTokens tokens) {
+                        AuthorizationCodeTokens decryptedtokens = decryptTokens(context, configContext.oidcConfig(), tokens);
+                        context.put(OidcConstants.ACCESS_TOKEN_VALUE, decryptedtokens.getAccessToken());
+                        context.put(AuthorizationCodeTokens.class.getName(), decryptedtokens);
                         // Default token state manager may have encrypted ID token when it was saved in a cookie
-                        final String currentIdToken = decryptIdToken(configContext, session.getIdToken());
+                        final String currentIdToken = decryptIdToken(configContext, decryptedtokens.getIdToken());
                         return authenticate(identityProviderManager, context,
                                 new IdTokenCredential(currentIdToken,
                                         isInternalIdToken(currentIdToken, configContext)))
-                                .call(new LogoutCall(context, configContext, session.getIdToken())).onFailure()
+                                .call(new LogoutCall(context, configContext, decryptedtokens.getIdToken())).onFailure()
                                 .recoverWithUni(new Function<Throwable, Uni<? extends SecurityIdentity>>() {
                                     @Override
                                     public Uni<? extends SecurityIdentity> apply(Throwable t) {
@@ -408,7 +409,7 @@ public Uni<? extends SecurityIdentity> apply(Throwable t) {
                                             if (isRpInitiatedLogout(context, configContext)) {
                                                 LOG.debug("Session has expired, performing an RP initiated logout");
                                                 fireEvent(SecurityEvent.Type.OIDC_LOGOUT_RP_INITIATED_SESSION_EXPIRED,
-                                                        Map.of(SecurityEvent.SESSION_TOKENS_PROPERTY, session));
+                                                        Map.of(SecurityEvent.SESSION_TOKENS_PROPERTY, decryptedtokens));
                                                 return Uni.createFrom().item((SecurityIdentity) null)
                                                         .call(() -> buildLogoutRedirectUriUni(context, configContext,
                                                                 currentIdToken));
@@ -418,20 +419,20 @@ public Uni<? extends SecurityIdentity> apply(Throwable t) {
                                                         "Token has expired, token refresh is not allowed, redirecting to re-authenticate");
                                                 return refreshIsNotPossible(context, configContext, t);
                                             }
-                                            if (session.getRefreshToken() == null) {
+                                            if (decryptedtokens.getRefreshToken() == null) {
                                                 LOG.debug(
                                                         "Token has expired, token refresh is not possible because the refresh token is null");
                                                 return refreshIsNotPossible(context, configContext, t);
                                             }
-                                            if (OidcUtils.isJwtTokenExpired(session.getRefreshToken())) {
+                                            if (OidcUtils.isJwtTokenExpired(decryptedtokens.getRefreshToken())) {
                                                 LOG.debug(
                                                         "Token has expired, token refresh is not possible because the refresh token has expired");
                                                 return refreshIsNotPossible(context, configContext, t);
                                             }
                                             LOG.debug("Token has expired, trying to refresh it");
                                             return refreshSecurityIdentity(configContext,
                                                     currentIdToken,
-                                                    session.getRefreshToken(),
+                                                    decryptedtokens.getRefreshToken(),
                                                     context,
                                                     identityProviderManager, false, null);
                                         } else {
@@ -441,18 +442,18 @@ public Uni<? extends SecurityIdentity> apply(Throwable t) {
                                             if (isLogout(context, configContext, currentIdentity)) {
                                                 // No need to refresh the token since the user is requesting a logout
                                                 return Uni.createFrom().item(currentIdentity).call(
-                                                        new LogoutCall(context, configContext, session.getIdToken()));
+                                                        new LogoutCall(context, configContext, decryptedtokens.getIdToken()));
                                             }
 
                                             // Token has nearly expired, try to refresh
 
-                                            if (session.getRefreshToken() == null) {
+                                            if (decryptedtokens.getRefreshToken() == null) {
                                                 LOG.debug(
                                                         "Token auto-refresh is required but is not possible because the refresh token is null");
                                                 return autoRefreshIsNotPossible(context, configContext, currentIdentity, t);
                                             }
 
-                                            if (OidcUtils.isJwtTokenExpired(session.getRefreshToken())) {
+                                            if (OidcUtils.isJwtTokenExpired(decryptedtokens.getRefreshToken())) {
                                                 LOG.debug(
                                                         "Token auto-refresh is required but is not possible because the refresh token has expired");
                                                 return autoRefreshIsNotPossible(context, configContext, currentIdentity, t);
@@ -461,7 +462,7 @@ public Uni<? extends SecurityIdentity> apply(Throwable t) {
                                             LOG.debug("Token auto-refresh is starting");
                                             return refreshSecurityIdentity(configContext,
                                                     currentIdToken,
-                                                    session.getRefreshToken(),
+                                                    decryptedtokens.getRefreshToken(),
                                                     context,
                                                     identityProviderManager, true,
                                                     currentIdentity);
@@ -1077,9 +1078,10 @@ public Uni<? extends Void> apply(Void t) {
                         context.put(TenantConfigContext.class.getName(), configContext);
                         // Just in case, remove the stale Back-Channel Logout data if the previous session was not terminated correctly
                         resolver.getBackChannelLogoutTokens().remove(configContext.oidcConfig().tenantId().get());
-
+                        AuthorizationCodeTokens encryptedTokens = encryptTokens(context, configContext.oidcConfig(), tokens);
                         return resolver.getTokenStateManager()
-                                .createTokenState(context, configContext.oidcConfig(), tokens, createTokenStateRequestContext)
+                                .createTokenState(context, configContext.oidcConfig(), encryptedTokens,
+                                        createTokenStateRequestContext)
                                 .map(new Function<String, Void>() {
 
                                     @Override
@@ -1131,6 +1133,24 @@ public Void apply(String cookieValue) {
 
     }
 
+    private AuthorizationCodeTokens encryptTokens(RoutingContext context, OidcTenantConfig oidcConfig,
+            AuthorizationCodeTokens tokens) {
+        if (!(resolver.getTokenStateManager() instanceof DefaultTokenStateManager)
+                && oidcConfig.tokenStateManager().encryptionRequired()) {
+            return OidcUtils.encryptTokens(context, oidcConfig, tokens);
+        }
+        return tokens;
+    }
+
+    private AuthorizationCodeTokens decryptTokens(RoutingContext context, OidcTenantConfig oidcConfig,
+            AuthorizationCodeTokens tokens) {
+        if (!(resolver.getTokenStateManager() instanceof DefaultTokenStateManager)
+                && oidcConfig.tokenStateManager().encryptionRequired()) {
+            return OidcUtils.decryptTokens(context, oidcConfig, tokens);
+        }
+        return tokens;
+    }
+
     private void fireEvent(SecurityEvent.Type eventType, SecurityIdentity securityIdentity) {
         if (resolver.isSecurityEventObserved()) {
             SecurityEventHelper.fire(resolver.getSecurityEvent(), new SecurityEvent(eventType, securityIdentity));