OIDC Session Cookie Format Changed In 3.18 Causing It To Be Incompatible To 3.17.x
Introduction
In Quarkus 3.18, the format of the OIDC session cookie has been changed, which causes a breaking change when compared to Quarkus 3.17.x. This change has resulted in an unexpected error message when users with session cookies created by Quarkus 3.17.x attempt to access the application running on Quarkus 3.18. In this article, we will delve into the details of this issue, its expected behavior, actual behavior, and provide a step-by-step guide on how to reproduce the problem.
Describe the Bug
The format of the Quarkus OIDC session cookie has been modified from version 3.17.x to 3.18, leading to a breaking change. The format in Quarkus 3.17.x is as follows:
idToken | accessToken | refreshToken
However, in Quarkus 3.18.x, the format has been changed to:
idToken | accessToken | accessTokenExpiresIn | refreshToken
When a user still has a cookie created by Quarkus 3.17, but the application is already running on Quarkus 3.18, the Quarkus throws an unhandled exception:
Unhandled exception: java.lang.NumberFormatException: For input string: "XXXXXXXXXXXXXXXXXXXXXXXXXX"
at java.base/java.lang.NumberFormatException.forInputString(NumberFormatException.java:67)
at java.base/java.lang.Long.parseLong(Long.java:708)
at java.base/java.lang.Long.valueOf(Long.java:1156)
at io.quarkus.oidc.runtime.DefaultTokenStateManager.getTokens(DefaultTokenStateManager.java:128)
at io.quarkus.oidc.runtime.DefaultTokenStateManager_ClientProxy.getTokens(Unknown Source)
at io.quarkus.oidc.runtime.CodeAuthenticationMechanism.reAuthenticate(CodeAuthenticationMechanism.java:338)
at io.quarkus.oidc.runtime.CodeAuthenticationMechanism$1.apply(CodeAuthenticationMechanism.java:102)
at io.quarkus.oidc.runtime.CodeAuthenticationMechanism$1.apply(CodeAuthenticationMechanism.java:99)
at io.smallrye.context.impl.wrappers.SlowContextualFunction.apply(SlowContextualFunction.java:21)
Expected Behavior
If a user arrives with a session cookie that is not valid (old format, malicious format, etc.), then Quarkus should delete the session cookie, allowing the user to re-authenticate.
Actual Behavior
However, the actual behavior is that the user receives an unexpected error message, the session cookie is not deleted, and the user cannot recover easily from this failure. The user has to delete the cookie actively to recover from this failure, which is something a normal user cannot do.
How to Reproduce?
To reproduce this issue, follow these steps:
- Run an application with Quarkus 3.17.
- Login into this application.
- Keep your browser session open.
- Upgrade your application to Quarkus 3.18 and run it.
- Refresh your browser session from step 2 => you see an exception.
Output of uname -a or ver
No response.
Output of java -version
No response.
Quarkus version or git rev
3.18.x
Build tool (ie. output of mvnw --version or gradlew --version
No response.
Additional Information
No response.
Conclusion
Introduction
In our previous article, we discussed the issue of the OIDC session cookie format change in Quarkus 3.18, which causes incompatibility with Quarkus 3.17.x. In this article, we will provide a Q&A section to address some of the frequently asked questions related to this issue.
Q: What is the OIDC session cookie format change in Quarkus 3.18?
A: The OIDC session cookie format has been changed from idToken | accessToken | refreshToken in Quarkus 3.17.x to idToken | accessToken | accessTokenExpiresIn | refreshToken in Quarkus 3.18.
Q: Why is this change causing issues?
A: The change in the OIDC session cookie format is causing issues because Quarkus 3.18 is expecting the new format, but it is receiving the old format from users who have session cookies created by Quarkus 3.17.x. This is resulting in a NumberFormatException when Quarkus 3.18 attempts to parse the old format.
Q: How can I reproduce this issue?
A: To reproduce this issue, follow these steps:
- Run an application with Quarkus 3.17.
- Login into this application.
- Keep your browser session open.
- Upgrade your application to Quarkus 3.18 and run it.
- Refresh your browser session from step 2 => you see an exception.
Q: What is the expected behavior when a user arrives with a session cookie that is not valid?
A: The expected behavior is that Quarkus should delete the session cookie, allowing the user to re-authenticate.
Q: What is the actual behavior when a user arrives with a session cookie that is not valid?
A: The actual behavior is that the user receives an unexpected error message, the session cookie is not deleted, and the user cannot recover easily from this failure.
Q: How can I resolve this issue?
A: To resolve this issue, you need to delete the cookie actively, which is not a feasible solution for normal users. However, you can try the following:
- Delete the cookie manually from your browser.
- Clear your browser cache and cookies.
- Try to re-authenticate with the application.
Q: Is there a workaround for this issue?
A: Yes, there is a workaround for this issue. You can try to use the oidc.session.cookie.format property in your application.properties file to specify the format of the OIDC session cookie. For example:
oidc.session.cookie.format=old
This will tell Quarkus to use the old format for the OIDC session cookie.
Q: Is this issue fixed in Quarkus 3.19?
A: Yes, this issue is fixed in Quarkus 3.19. Quarkus 3.19 includes a fix for the OIDC session cookie format change, which should resolve the incompatibility issue with Quarkus 3.17.x.
Conclusion
In conclusion, the OIDC session cookie format change in Quarkus 3.18 has caused incompatibility with Quarkus 3.17.x, resulting in unexpected error messages and issues with user authentication. We hope that this Q&A article has provided helpful information and answers to some of the frequently asked questions related to this issue. If you have any further questions or concerns, please feel free to ask.