Comments (7)
/cc @pedroigor (bearer-token,oidc), @sberyozkin (bearer-token,oidc)
from quarkus.
@segersb What Quarkus version is it ? The state cookie is removed the moment it is detected, and we have a good number of tests confirming it is null at the end.
What I will do, I'll update https://github.com/quarkusio/quarkus-quickstarts/blob/main/security-openid-connect-web-authentication-quickstart/src/test/java/org/acme/security/openid/connect/web/authentication/CodeFlowTest.java to double check it and then if it works as expected I'll ask you to modify that test to reproduce the problem
from quarkus.
We're on the laster 3.9.4
I did notice "removeCookie" calls in the "CodeAuthenticationMechanism" class
However it seems those are called when the flow processes the redirect, not in the initial getChallenge
from quarkus.
@segersb It should not really matter as the token removal happens on the response object.
I've added a simple test at quarkusio/quarkus-quickstarts#1418
I think the one which would be of most relevance is the token timeout test, see changes from here:
So initially we have a single state cookie. After the successful login, it is null. Now the session expires and again, we only have a single state cookie.
What I'd like to ask you is to modify the test in that PR (if you'd like please wait until it is merged into the development
branch) to have that test failing with having more than 1 state cookie at a time.
Please also try 3.10.CR1.
It sounds like you may have concurrent authentication requests (multiple tabs, threads) for the same user (as opposed to a typical single tab flow) , in which case, indeed, a new unique state cookie is created to track each of these authentications and if one of these parallel authentications is not completed, the state cookie will accumulate.
Quarkus can't delete all of them, the way you do it, as it will break the multi-tab authentication.
If you don't do a multi-tab authentication, then the only other reason I can think of is that the parallel heartbeats may be overlapping with the actual authentication requests, i.e, you still have essentially a multi-tab authentication.
What you can do here is just disable the multi-tab:
quarkus.oidc.authentication.allow-multiple-code-flows=false
That may actually be what will fix it for you
from quarkus.
@segersb But in any case, I can also do what I've been thinking about doing for a long time and never done, the state cookie age is set to 30 mins by default, it should be set max to 5 mins by default and users should be able to tune it to 1 min if they need to, which will accelerate the browser getting rid of any stale state cookies
from quarkus.
We ran into a problem because we use Vaadin for our frontend, and it sends out heartbeat requests. These heartbeats donโt interact with OIDC, so when the access token expires, each request ends up creating a new cookie. We can adjust the heartbeat interval, but if a heartbeat fails due to an expired token, it tries again every second. This was a problem even though the cookies are only good for 30 minutes.
Setting the property like you suggested worked out great. Our own fix, where we expire the tokens ourselves, does pretty much the same thing. Iโm not totally sure when you'd need multiple code flows, but if that's the standard and it's working as intended, then it's all good.
Thanks for your help. Iโm going to close the ticket now.
from quarkus.
Thanks @segersb, I'll re-open just so that I remember to do this task of having the state cookie timeout controlled better, and will close once that is done, thanks
from quarkus.
Related Issues (20)
- WebSockets Next: Support for secure upgrade with security annotations only HOT 17
- Quarkus Rest Client MTLS configuration guide HOT 14
- Add Docs: smallrye-pulsar cannot publish message in sample Quarkus project HOT 13
- Funq not sending CloudEvent / CloudEvent not received by broker HOT 2
- WebSockets Next: provide strategies to process unhandled failures HOT 9
- gradle quarkusDev usage analytics question not working? HOT 4
- BouncyCastle BCFIPS provider fails with OpenJDK 17 and RHEL8 in FIPS-enabled environment HOT 2
- Quarkus upgrade to 3.10.0 in gradle environment HOT 3
- Allow conversion to JsonObject to be optional during amqp message deserialization
- Fungy knative events GET request throws NPE HOT 2
- If the system environment variables include `kafka` or `KAFKA`, the `KafkaRuntimeConfigProducer` throws an exception. HOT 3
- Failure when running "quarkus-maven-plugin:create" with basic options HOT 3
- Web server: Make brotli, deflate, gzip configurable HOT 3
- Service not registering jandex indexed beans in multi-module project (gradle/kotlin) HOT 3
- Create an extension for using podman to build container images HOT 10
- New Quarkiverse extension for Zenoh support in Quarkus HOT 1
- Quarkus 3.9.5 - Single grpc server issues warn: Request Context already active etc. HOT 1
- How should I handle classes that shouldn't be loaded in native HOT 8
- Kind of wish LookupIfProperty and LookupUnlessProperty were a little more powerful HOT 6
- quarkus-hibernate-orm - lazy loading of parameterized attributes from MappedSuperclass with getter does not work. HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from quarkus.