search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.72k stars 2.67k forks source link

(Global) Cookie encryption #34192

Open cescoffier opened 1 year ago

cescoffier commented 1 year ago

Description

How can we provide support for global cookie encryption - in a cloud-native manner (multiple instances of the application should be able to read and write the same cookie).

Analysis

(links to analysis docs containing architecture design work, requirements gathering, etc)

quarkus-bot[bot] commented 1 year ago

/cc @pedroigor (bearer-token), @sberyozkin (bearer-token,jwt,security)

sberyozkin commented 1 year ago

Hi @cescoffier This is probably a duplicate of #33277.

Multiple extensions have their own way of managing the cookies relevant to them. Lets take Form and OIDC for example. In this case having the same cookie used by both Form and OIDC makes no sense - because noone will use Form and OIDC at the same time, but also, OIDC session cookie lifetime and other properties are controlled at the OIDC provider side (ID token configuration etc), for Form - locally in Quarkus.

But the uniform cookie encryption is indeed worth it, so that multiple pods, can read the encrypted cookie. Each extension has a way to configure an encryption key. While property names are different, all of them can use for example a single instance of ConfigSource to fetch this encryption from the encryption store of some sort. CredenatialsProvider is another option

Right now I'm not sure there is much scope to this issue as we have the options to share the same encryption key between all extensions encrypting the cookies