IBM · smoser-ibm · Dec 1, 2025 · Dec 1, 2025 · Dec 1, 2025
diff --git a/auth-oidc-proxy/README.md b/auth-oidc-proxy/README.md
@@ -14,7 +14,7 @@ In order to be able to authenticate using OIDC SSO, you'll need to choose and co
 
 ### Github.com OIDC SSO
 
-Github.com provides a publicly available OIDC provider, that can be used to point to Code Engine applications, which you deployed in your IBM Cloud account. Use the following steps to configure an SSO app:
+GitHub.com provides a publicly available OIDC provider, that can be used to point to Code Engine applications, which you deployed in your IBM Cloud account. Use the following steps to configure an SSO app:
 
 * Create Github OIDC app through https://github.com/settings/developers
     ```
@@ -29,7 +29,7 @@ Github.com provides a publicly available OIDC provider, that can be used to poin
     ```
 * Generate a random cookie secret that is used to encrypt the auth cookie value and add it to the `oidc.properties` file
     ```
-    echo "COOKIE_SIGNING_ENCRYPTION_KEY=$(openssl rand -base64 32)" >> oidc.properties
+    echo "COOKIE_ENCRYPTION_KEY=$(openssl rand -base64 32)" >> oidc.properties
     ```
 * From your OIDC provider obtain the following values and add them to the `oidc.properties` file
     ```
@@ -40,12 +40,12 @@ Github.com provides a publicly available OIDC provider, that can be used to poin
 * To add authorization checks one can check for a specific user property
     ```
     echo "AUTHZ_USER_PROPERTY=login" >> oidc.properties
-    echo "AUTHZ_ALLOWED_USERS=<<comma-separated-list-of-github-users>" >> oidc.properties
+    echo "AUTHZ_ALLOWED_USERS=<comma-separated-list-of-github-users>" >> oidc.properties
     ```
 
 ### IBMers-only: w3Id OIDC SSO
 
-To protect IBM's workforce, the SSO Provisioner provides the ability to configure an w3Id SSO. Note: This SSO provider can only be used by IBMers
+To protect IBM-owned, internal applications, the w3Id SSO Provisioner provides the ability to configure an w3Id SSO. Note: This SSO provider can only be used by IBMers
 
 * Create w3Id OIDC configuration through https://w3.ibm.com/security/sso-provisioner
     ```
@@ -60,7 +60,7 @@ To protect IBM's workforce, the SSO Provisioner provides the ability to configur
     ```
 * Generate a random cookie secret that is used to encrypt the auth cookie value and add it to the `oidc.properties` file
     ```
-    echo "COOKIE_SIGNING_ENCRYPTION_KEY=$(openssl rand -base64 32)" >> oidc.properties
+    echo "COOKIE_ENCRYPTION_KEY=$(openssl rand -base64 32)" >> oidc.properties
     ```
 * From your OIDC provider obtain the following values and add them to the `oidc.properties` file
     ```

diff --git a/auth-oidc-proxy/auth/Dockerfile b/auth-oidc-proxy/auth/Dockerfile
@@ -1,10 +1,10 @@
-FROM registry.access.redhat.com/ubi9/nodejs-22:latest AS build-env
+FROM registry.access.redhat.com/ubi9/nodejs-24:latest AS build-env
 WORKDIR /app
 COPY package.json .
 RUN npm install
 
 # Use a small distroless image for as runtime image
-FROM gcr.io/distroless/nodejs22-debian12
+FROM gcr.io/distroless/nodejs24-debian12
 COPY --from=build-env /app /app
 WORKDIR /app
 COPY index.mjs public/ .

diff --git a/auth-oidc-proxy/auth/index.mjs b/auth-oidc-proxy/auth/index.mjs
@@ -10,7 +10,7 @@ const requiredEnvVars = [
   "OIDC_PROVIDER_TOKEN_ENDPOINT",
   "OIDC_PROVIDER_USERINFO_ENDPOINT",
   "OIDC_REDIRECT_URL",
-  "COOKIE_SIGNING_ENCRYPTION_KEY",
+  "COOKIE_ENCRYPTION_KEY",
   "COOKIE_DOMAIN",
   "REDIRECT_URL",
 ];
@@ -23,14 +23,19 @@ requiredEnvVars.forEach((envVarName) => {
 });
 
 const SESSION_COOKIE = process.env.COOKIE_NAME || "session_token";
-const ENCRYPTION_KEY = Buffer.from(process.env.COOKIE_SIGNING_ENCRYPTION_KEY, "base64");
-const ENCRYPTION_IV = crypto.randomBytes(16);
+let ENCRYPTION_KEY;
+if(process.env.COOKIE_ENCRYPTION_KEY)
+  ENCRYPTION_KEY = Buffer.from(process.env.COOKIE_ENCRYPTION_KEY, "base64");
+let ENCRYPTION_IV = crypto.randomBytes(16);
+if (process.env.COOKIE_ENCRYPTION_IV) {
+  ENCRYPTION_IV = Buffer.from(process.env.COOKIE_ENCRYPTION_IV, "base64");
+}
 const ENCRYPTION_ALGORITHM = "aes-256-cbc";
 
 // check whether the KEY has got 32 bytes (256-bit)
-if (ENCRYPTION_KEY.length != 32) {
+if (process.env.COOKIE_ENCRYPTION_KEY && ENCRYPTION_KEY.length != 32) {
   console.log(
-    `Environment variable 'COOKIE_SIGNING_ENCRYPTION_KEY' has wrong length. Current: ${ENCRYPTION_KEY.length}. Expected: 32`
+    `Environment variable 'COOKIE_ENCRYPTION_KEY' has wrong length. Current: ${ENCRYPTION_KEY.length}. Expected: 32`
   );
   process.exit(1);
 }