com.aspc.cms.rest.plugin.oidc

Class OidcCookieUtil

java.lang.Object

com.aspc.cms.rest.plugin.oidc.OidcCookieUtil

public final class OidcCookieUtil
extends java.lang.Object

Utility class for managing the OIDC refresh token cookie with correct security attributes.

Only the refresh token is stored in an HttpOnly cookie. Access and ID tokens are returned to the frontend in the response body.

Cookie attributes:

• HttpOnly: true — prevents JavaScript access
• Secure: true — HTTPS only (in uat/prod)
• SameSite: Strict — CSRF protection (set via Set-Cookie header)
• Path: /api/oidc/ — scoped to OIDC endpoints only
• Max-Age — set to the refresh token lifetime

Author:

Claude

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	COOKIE_PATH The cookie path, scoped to OIDC endpoints only.
static java.lang.String	COOKIE_REFRESH_TOKEN The cookie name used to store the refresh token.
static int	DEFAULT_REFRESH_TOKEN_MAX_AGE Default refresh token lifetime: 30 days in seconds.

Method Summary

Modifier and Type	Method and Description
static java.lang.String	buildSameSiteCookieHeader(java.lang.String refreshToken, boolean secure, int maxAgeSeconds) Builds the Set-Cookie header value for the refresh token cookie with the SameSite=Strict attribute.
static void	clearRefreshTokenCookie(WebClient client) Clears the refresh token cookie by setting its max-age to zero.
static java.lang.String	getRefreshTokenCookie(WebClient client) Reads the refresh token from the request cookie.
static void	setRefreshTokenCookie(WebClient client, java.lang.String refreshToken) Sets a secure, HttpOnly cookie containing the refresh token.
static void	setRefreshTokenCookie(WebClient client, java.lang.String refreshToken, int maxAgeSeconds) Sets a secure, HttpOnly cookie containing the refresh token with a specified max-age.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

COOKIE_REFRESH_TOKEN

public static final java.lang.String COOKIE_REFRESH_TOKEN

The cookie name used to store the refresh token.

See Also:

Constant Field Values

COOKIE_PATH

public static final java.lang.String COOKIE_PATH

The cookie path, scoped to OIDC endpoints only.

See Also:

Constant Field Values

DEFAULT_REFRESH_TOKEN_MAX_AGE

public static final int DEFAULT_REFRESH_TOKEN_MAX_AGE

Default refresh token lifetime: 30 days in seconds.

See Also:

Constant Field Values

Method Detail

setRefreshTokenCookie

public static void setRefreshTokenCookie(@Nonnull
                                         WebClient client,
                                         @Nonnull
                                         java.lang.String refreshToken)

Sets a secure, HttpOnly cookie containing the refresh token.

The cookie is configured with HttpOnly, Secure (when the request is over HTTPS), and scoped to the OIDC endpoint path.

Parameters:

client - the WebClient for the current request

refreshToken - the refresh token value to store

setRefreshTokenCookie

public static void setRefreshTokenCookie(@Nonnull
                                         WebClient client,
                                         @Nonnull
                                         java.lang.String refreshToken,
                                         int maxAgeSeconds)

Sets a secure, HttpOnly cookie containing the refresh token with a specified max-age.

Parameters:

client - the WebClient for the current request

refreshToken - the refresh token value to store

maxAgeSeconds - the cookie lifetime in seconds

getRefreshTokenCookie

@CheckReturnValue
 @Nullable
public static java.lang.String getRefreshTokenCookie(@Nonnull
                                                                                  WebClient client)

Reads the refresh token from the request cookie.

Parameters:

client - the WebClient for the current request

Returns:

the refresh token value, or null if the cookie is not present or blank

clearRefreshTokenCookie

public static void clearRefreshTokenCookie(@Nonnull
                                           WebClient client)

Clears the refresh token cookie by setting its max-age to zero.

Used during logout to remove the refresh token from the browser.

Parameters:

client - the WebClient for the current request

buildSameSiteCookieHeader

@CheckReturnValue
 @Nonnull
public static java.lang.String buildSameSiteCookieHeader(@Nonnull
                                                                                     java.lang.String refreshToken,
                                                                                     boolean secure,
                                                                                     int maxAgeSeconds)

Builds the Set-Cookie header value for the refresh token cookie with the SameSite=Strict attribute.

The standard javax.servlet.http.Cookie API does not support the SameSite attribute. This method returns the complete header value that can be added to the response via response.addHeader("Set-Cookie", value).

Parameters:

refreshToken - the refresh token value

secure - whether to include the Secure flag

maxAgeSeconds - the cookie lifetime in seconds

Returns:

the complete Set-Cookie header value