Skip to content

Set OIDC proxy state cookie during the local redirect #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 26, 2025
Merged

Set OIDC proxy state cookie during the local redirect #94

merged 1 commit into from
May 26, 2025

Conversation

sberyozkin
Copy link
Contributor

Fixes #93.

Please see the linked issue description.
OIDC proxy code update is only about setting a state cookie and verifying it is correct at the end of the local redirect.
Reworking the test proved more difficult, but was worth, as the local redirect, even though it was already used in the test, was not really deeply verified.

@sberyozkin sberyozkin requested a review from gastaldi May 26, 2025 13:14
@sberyozkin sberyozkin requested a review from a team as a code owner May 26, 2025 13:14
@gastaldi gastaldi requested a review from Copilot May 26, 2025 13:41
Copilot
Copilot AI reviewed May 26, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses issue #93 by introducing a mechanism to set and verify a dedicated OIDC proxy state cookie during the local redirect process.

  • Introduces a new constant and functions to create and remove the OIDC proxy state cookie in OidcProxy.java
  • Updates the local redirect flow to validate the state cookie and enhances error handling when state validation fails
  • Modifies integration tests to validate the new cookie behavior and updates application properties accordingly

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
runtime/src/main/java/io/quarkus/oidc/proxy/runtime/OidcProxy.java Added cookie creation and verification logic for the proxy state to secure the local redirect flow
integration-tests/src/test/java/io/quarkus/oidc/proxy/OidcProxyTestCase.java Updated tests to check for the correct handling of the proxy state cookie during redirects
integration-tests/src/main/resources/application.properties Added configuration to disallow multiple code flows

@sberyozkin sberyozkin merged commit 15ed934 into quarkiverse:main May 26, 2025
1 check passed
@sberyozkin sberyozkin deleted the state_cookie branch May 26, 2025 14:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@gastaldi gastaldi gastaldi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Set OIDC proxy state cookie during the local redirect
2 participants
@sberyozkin @gastaldi