OIDC Database TokenStateManager - Encrypted Tokens? #51082
-
|
Hello, we use Database TokenStateManager and expected that when the property cc @sberyozkin |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
|
/cc @pedroigor (oidc), @sberyozkin (oidc) |
Beta Was this translation helpful? Give feedback.
-
|
Hi @mschorsch, sure, https://github.com/quarkusio/quarkus/blob/main/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcTenantConfig.java#L260 applies to the These are not encrypted if saved at the server side, where security controls are enforced, for example, DB can be secured. We can definitely consider enabling it for the DB and Redis token state managers that Quarkus itself ships. |
Beta Was this translation helpful? Give feedback.
-
That would be great. |
Beta Was this translation helpful? Give feedback.
-
|
@mschorsch FYI, #51083 |
Beta Was this translation helpful? Give feedback.
-
|
@mschorsch FWIW I thought exactly the same (token states should be stored encrypted). I think I started with encrypting during impl., but we iterated on what we have right now. +1 for #51083 and thanks for raising this |
Beta Was this translation helpful? Give feedback.
Hi @mschorsch, sure, https://github.com/quarkusio/quarkus/blob/main/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcTenantConfig.java#L260 applies to the
defaulttoken state manager which stores tokens in a cookie which is where the encryption is enabled by default.These are not encrypted if saved at the server side, where security controls are enforced, for example, DB can be secured.
We can definitely consider enabling it for the DB and Redis token state managers that Quarkus itself ships.