From 5dffe80d88c751986162a70d73a8c16d1f827c70 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ou=C5=A1ek?=
 <melanger@users.noreply.github.com>
Date: Mon, 6 Nov 2023 18:16:10 +0100
Subject: [PATCH] docs: thread-safe example config

by default, password and salt
used for encryption of authorization code
are autogenerated,
which breaks code exchange
when using multiple threads or servers
---
 example/oidcop_frontend.yaml | 31 +++++++++++++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)

diff --git a/example/oidcop_frontend.yaml b/example/oidcop_frontend.yaml
index fa1984d..e686d46 100644
--- a/example/oidcop_frontend.yaml
+++ b/example/oidcop_frontend.yaml
@@ -179,8 +179,21 @@ config:
               email:
               - urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword
         session_params:
-          password: CHANGE_ME__password_used_to_encrypt_access_token_sid_value
-          salt: 'CHANGE_ME salt involved in session sub hash'
+          encrypter:
+            class: cryptojwt.jwe.fernet.FernetEncrypter
+            kwargs:
+              password: CHANGE_ME__password_used_to_encrypt_access_token_sid_value
+              salt: 'CHANGE_ME salt involved in session sub hash'
+              keys:
+                key_defs:
+                  - type: OCT
+                    use:
+                      - enc
+                    kid: password
+                  - type: OCT
+                    use:
+                      - enc
+                    kid: salt
           sub_func:
             pairwise:
               class: idpyoidc.server.session.manager.PairWiseID
@@ -195,6 +208,20 @@ config:
           code:
             kwargs:
               lifetime: 600
+              crypt_conf:
+                kwargs:
+                  password: CHANGE_ME__password_used_to_encrypt_authorization_code
+                  salt: 'CHANGE_ME salt involved in authorization code hash'
+                  keys:
+                    key_defs:
+                      - type: OCT
+                        use:
+                          - enc
+                        kid: password
+                      - type: OCT
+                        use:
+                          - enc
+                        kid: salt
           id_token:
             class: idpyoidc.server.token.id_token.IDToken
             kwargs: