quarkus: [OIDC] Too large JWT cookie cause infinite redirect loop

Too large JWT cause infinite redirect loop A cookie may not exceed 4096 bytes, so a very large JWT may cause the cookie not to be set at all. This results in the user being redirect back to the OIDC server. This is notably an issue with Keycloak instances with configuration that predates version 3.2 (roles were then included in the JWT). This can probably be solved by splitting the JWT up into multiple cookies, although that’s likely not the prettiest solution. Another approach could be to log more and prevent the redirection loop, letting the user know what the issue is.

Edit: See https://github.com/quarkusio/quarkus/issues/12297 for a solution to the feature described below. Support for application-type=service+web-app? I’m piggybacking with another OIDC-issue: We have REST APIs that are used by both web apps and by other services. For the web app we’d like to use cookies, services supplies an “Authorization” header with the bearer token. Setting application-type=web-app cause services to be redirected to OIDC server for authentication, setting application-type=service forbids web app from using the API. I was unsuccessful finding a solution for this that didn’t involve either duplicating the REST API or making the web app send bearer token with every request. Unless a solution for this already exists (or there are security concerns combining the two application types), it would be nice with a mode where header is checked for an Authorization entry before redirecting user to authenticate.