Merge pull request #30828 from sberyozkin/oidc_session_cookie_same_site_lax

sberyozkin · web-flow · commit 7814ea5fc89a · 2023-02-02T23:04:41.000Z
Make OIDC session cookie same site lax by default
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java
@@ -769,8 +769,8 @@ public enum ResponseMode {
         /**
          * SameSite attribute for the session cookie.
          */
-        @ConfigItem(defaultValue = "strict")
-        public CookieSameSite cookieSameSite = CookieSameSite.STRICT;
+        @ConfigItem(defaultValue = "lax")
+        public CookieSameSite cookieSameSite = CookieSameSite.LAX;
 
         /**
          * If this property is set to 'true' then an OIDC UserInfo endpoint will be called.
diff --git a/integration-tests/oidc-code-flow/src/main/resources/application.properties b/integration-tests/oidc-code-flow/src/main/resources/application.properties
@@ -107,7 +107,7 @@ quarkus.oidc.tenant-https.authentication.cookie-suffix=test
 quarkus.oidc.tenant-https.authentication.error-path=/tenant-https/error
 quarkus.oidc.tenant-https.authentication.pkce-required=true
 quarkus.oidc.tenant-https.authentication.pkce-secret=eUk1p7UB3nFiXZGUXi0uph1Y9p34YhBU
-quarkus.oidc.tenant-https.authentication.cookie-same-site=lax
+quarkus.oidc.tenant-https.authentication.cookie-same-site=strict
 
 quarkus.oidc.tenant-javascript.auth-server-url=${quarkus.oidc.auth-server-url}
 quarkus.oidc.tenant-javascript.client-id=quarkus-app
diff --git a/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java b/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java
@@ -95,7 +95,7 @@ public void testCodeFlowNoConsent() throws IOException {
 
             Cookie sessionCookie = getSessionCookie(webClient, null);
             assertNotNull(sessionCookie);
-            assertEquals("strict", sessionCookie.getSameSite());
+            assertEquals("lax", sessionCookie.getSameSite());
 
             webClient.getCookieManager().clearCookies();
         }
@@ -220,7 +220,7 @@ public void testCodeFlowForceHttpsRedirectUriAndPkce() throws Exception {
             assertEquals("tenant-https:reauthenticated", page.getBody().asNormalizedText());
             Cookie sessionCookie = getSessionCookie(webClient, "tenant-https_test");
             assertNotNull(sessionCookie);
-            assertEquals("lax", sessionCookie.getSameSite());
+            assertEquals("strict", sessionCookie.getSameSite());
             webClient.getCookieManager().clearCookies();
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,7 @@ public void testCodeFlowNoConsent() throws IOException {`
`95`	`95`
`96`	`96`	`Cookie sessionCookie = getSessionCookie(webClient, null);`
`97`	`97`	`assertNotNull(sessionCookie);`
`98`		`- assertEquals("strict", sessionCookie.getSameSite());`
	`98`	`+ assertEquals("lax", sessionCookie.getSameSite());`
`99`	`99`
`100`	`100`	`webClient.getCookieManager().clearCookies();`
`101`	`101`	`}`
`@@ -220,7 +220,7 @@ public void testCodeFlowForceHttpsRedirectUriAndPkce() throws Exception {`
`220`	`220`	`assertEquals("tenant-https:reauthenticated", page.getBody().asNormalizedText());`
`221`	`221`	`Cookie sessionCookie = getSessionCookie(webClient, "tenant-https_test");`
`222`	`222`	`assertNotNull(sessionCookie);`
`223`		`- assertEquals("lax", sessionCookie.getSameSite());`
	`223`	`+ assertEquals("strict", sessionCookie.getSameSite());`
`224`	`224`	`webClient.getCookieManager().clearCookies();`
`225`	`225`	`}`
`226`	`226`	`}`