From 86c75b7a80beb7a02038672009be29ba7fc7e812 Mon Sep 17 00:00:00 2001 From: aram price Date: Wed, 9 Dec 2020 17:29:44 -0800 Subject: [PATCH] CSRF cookie is no longer encrypted --- internal/oidc/provider/manager/manager.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/internal/oidc/provider/manager/manager.go b/internal/oidc/provider/manager/manager.go index 2cd8b18f..4a429696 100644 --- a/internal/oidc/provider/manager/manager.go +++ b/internal/oidc/provider/manager/manager.go @@ -94,8 +94,7 @@ func (m *Manager) SetProviders(oidcProviders ...*provider.OIDCProvider) { upstreamStateEncoder.SetSerializer(securecookie.JSONEncoder{}) var csrfCookieEncoderHashKey = []byte("fake-csrf-hash-secret") // TODO replace this secret - var csrfCookieEncoderBlockKey = []byte("16-bytes-CSRF012") // TODO replace this secret - var csrfCookieEncoder = securecookie.New(csrfCookieEncoderHashKey, csrfCookieEncoderBlockKey) + var csrfCookieEncoder = securecookie.New(csrfCookieEncoderHashKey, nil) csrfCookieEncoder.SetSerializer(securecookie.JSONEncoder{}) m.providerHandlers[(issuerHostWithPath + oidc.WellKnownEndpointPath)] = discovery.NewHandler(issuer)