feat(openid-connect): support session.secret_fallbacks for key rotation#13702
Open
jens-skribble wants to merge 1 commit into
Open
feat(openid-connect): support session.secret_fallbacks for key rotation#13702jens-skribble wants to merge 1 commit into
jens-skribble wants to merge 1 commit into
Conversation
The openid-connect plugin stores its session in a cookie sealed with a key derived from `session.secret`. Rotating that single secret invalidates every live cookie at once, forcing all users to re-authenticate. In an HA deployment updated instance-by-instance it also creates a window where an instance carrying the new secret cannot decrypt a cookie issued by an instance still using the old one. lua-resty-session 4.x already supports graceful key rotation via `secret_fallbacks`: cookies sealed with any fallback secret still decrypt, while new cookies are sealed with the primary `secret`. The `session` schema's `additionalProperties = false` prevented passing it through. This exposes `session.secret_fallbacks` explicitly (mirroring the pattern already used by saml-auth), adds it to `encrypt_fields`, and documents the pre-seed -> flip -> retire rotation procedure. `build_session_opts` already forwards the session table verbatim to lua-resty-session, so no runtime change is needed. Generated-by: Claude (Anthropic) via Claude Code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The
openid-connectplugin stores its session in a cookie sealed with a key derived fromsession.secret. Because the plugin exposes only a singlesession.secret(and thesessionschema setsadditionalProperties = false), the secret cannot be rotated without breaking active sessions:session.secretinvalidates every live cookie at once, forcing all users to re-authenticate.lua-resty-session4.x (already used by this plugin) supports graceful key rotation viasecret_fallbacks: cookies sealed with any secret listed insecret_fallbacksstill decrypt, while new cookies are sealed with the primarysecret. This PR exposes that option:session.secret_fallbacks(array of strings, eachminLength16) to thesessionschema.session.secret_fallbackstoencrypt_fieldsso the values are encrypted at rest when data encryption is enabled (the nested-array path is handled byplugin.lua'sprocess_encrypt_field).build_session_optsalready forwards thesessiontable verbatim toresty.session.start(), so no runtime change is required beyond allowing the field through validation.This mirrors the
secret+secret_fallbackspattern already shipped in thesaml-auth,dingtalk-auth, andfeishu-authplugins.Checklist
session.secretare unaffected, covered by a test case)