You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR adds an option to customize the way the session cookie is encrypted - it will continue using the current mode by default where a content encryption key (CEK) is generated (with more algorithms added as required - I'm not too keen to open it up completely to support all of them) - this mode is strongest but also produces a longer sequence and is a bit slower.
Direct dir encryption is a standard JWE option where the configured encryption key acts as CEK.
FYI, difference in the cookie size, in the 2 updated tests is 2919 (dir) vs 3043 (CEK is generated and encoded) so it is about 120 bytes which might make a difference.
Hi Pedro @pedroigor, after looking at the issues related to the session token management, I think it makes sense to go ahead with this option, as it looks like that the OIDC session cookies, nearly all of them, are close to 4K by default, so having an option to shorten the cipher text, without having to split the session cookie length is useful.
I'll resolve the conflict and will ping you to discuss
@pedroigor The reason it will make a difference is that I've noticed that with the max cookie value set to 4048 is not enough to avoid the split which is not great, so I've tuned it to 4056 for now, but with this option, decreasing the cookie size by 120 bytes on average will make the split unnecessary in many cases
Thanks @pedroigor, it should help Keycloak users in particular and those work work with providers like Azure which can produce massive ID tokens, to avoid splitting the cookies. I'll consider making it a default option if a strong encryption key is available, but for now the CEK will be generated which produces varying sequences for the same text.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
sberyozkin
force-pushed
the
oidc_session_dir_encrypton
branch
from
Fixes #37785.
This PR adds an option to customize the way the session cookie is encrypted - it will continue using the current mode by default where a content encryption key (CEK) is generated (with more algorithms added as required - I'm not too keen to open it up completely to support all of them) - this mode is strongest but also produces a longer sequence and is a bit slower.
Direct
direncryption is a standard JWE option where the configured encryption key acts as CEK.FYI, difference in the cookie size, in the 2 updated tests is
2919(dir) vs3043(CEK is generated and encoded) so it is about 120 bytes which might make a difference.