AWSELBAuthSessionCookie (or any big yummy cookie) may cause "header is too large" exception

[shortstack]

java.lang.IllegalArgumentException: Request header is too large

Description

FusionAuth running on Ubuntu 16, no other issues so far

FusionAuth is configured as the identity provider for AWS cognito for SSO on our ALBs

Requests for the magic link work fine in incognito mode every time

Getting the following error after clicking the "Login with a magic link" button after a few hours of idle time since authing

Link clicked: https://REDACTED/oauth2/authorize?client_id=REDACTED&redirect_uri=REDACTED&scope=openid&response_type=code&state=ZXlKMWMyVnlVRzl2YkVsa0lqb2lkWE10WldGemRDMHhYMmxIV0RCaGFUSk5UQ0lzSW5CeWIzWnBaR1Z5VG1GdFpTSTZJa3h2WjJsdUlpd2lZMnhwWlc1MFNXUWlPaUl6YlRWMWJESnlZV3M0Wkc4d2NYQndNMnh2WVRCMk1HZG5ieUlzSW5KbFpHbHlaV04wVlZKSklqb2lhSFIwY0hNNkx5OW5aWFIwYVc1bkxYTjBZWEowWldRdWJtVjBkMjl5YTJSbFptVnVjMlZ5WVc1blpTNXBieTl2WVhWMGFESXZhV1J3Y21WemNHOXVjMlVpTENKeVpYTndiMjV6WlZSNWNHVWlPaUpqYjJSbElpd2ljSEp2ZG1sa1pYSlVlWEJsSWpvaVQwbEVReUlzSW5OamIzQmxjeUk2V3lKdmNHVnVhV1FpWFN3aWMzUmhkR1VpT2lKMFZ6SlpWRTVxZUhWSmFHdGFTSFl5VjJVMldIRlNhR3BqWm5SSk1ESTNNRGRjWEM5M1lsbFJabFZEWlZCdU1WRnpjbkJqYm5KTFptUllTWEJCT0V4a1NVOVBZV1J1Y210V1RVSmpVMkZxTjBKUFIwYzJNbEIyTkdNNGJYTk5UMm8xYUVSVllUZHhiVGxSZFRKR1VubFphRUoyTURkWVFVeHBOV3R4VjNOUE1XNVVLMXBuZUhOQk5UQlVNSzlsWm1neFZWZHlSVTl1UTNoMFdtZG9OMWhzUm05b1FVVndXbU51WVVwTVNsQjFWMFpNZEd4SGJsTXhTVFZKVjFKNVRuRjVOelZLYzBkeGJWRm9VbFppTlNJc0ltTnZaS2ZEYUdGc2JHVnVaMlVpT201MWJHd3NJbU52WkdWRGFHRnNiR1Z1WjJWTlpYUm9iMlFpT201MWJHd3NJbTV2Ym1ObElqb2lVR05PUVhNNFYzZEdhRmx0TUhaNk0xVkljbUZ5UW1oblJWUnZNMmhKTTNkbWVraEJlRTQzU0UxcFExTk5jWE40WmpFeVpIbDNTRlZFTWtkRWVuQTJUVEI0VkVod1FuTXdSbWR3VG05NFFYbFdSMWRDTFd4Mk9VaEtUMjFQUXpGdFVYWkdlR2QwUVU1Tk1WTkdRMk5mYUU1RVEwSjZPSGxNVjI5SFRHZG1kMjFGYTFkS1VtVllVVEJHYW5SUVVXVTJUMDF6UW5kamEyNVRkVTlITmxOUlNqTlBNelJDTUhZMWExSmpJaXdpYzJWeWRtVnlTRzl6ZEZCdmNuUWlPaUp5WldOdmJpMXVaSEl1WVhWMGFDNTFjeTFsWVhOMExURXVZVzFoZW05dVkyOW5ibWwwYnk1amIyMGlMQ0pqY21WaGRHbHZibFJwYldWVFpXTnZibVJ6SWpveE5UZzRPRGsyTlRjNExDSnpaWE56YVc5dUlqcHVkV3hzTENKMWMyVnlRWFIwY21saWRYUmxjeUk2Ym5Wc2JDd2lhWE5UZEdGMFpVWnZja3hwYm10cGJtZFRaWE56YVc5dUlqcG1ZV3h6WlgwPTpEZUlBakdZYzRZZXhsTlBXeGYva29YNVYxNUc4OFMwU2tXTlIxR3lUSEY0PToz

Link sent to: https://REDACTED?tenantId=REDACTED/oauth2/passwordless&client_id=REDACTED&nonce=&redirect_uri=REDACTED%2Foauth2%2Fidpresponse&response_mode=&response_type=code&scope=openid&state=ZXlKMWMyVnlVRzl2YkVsa0lqb2lkWE10WldGemRDMHhYMmxIV0RCaGFUSk5UQ0lzSW5CeWIzWnBaR1Z5VG1GdFpTSTZJa3h2WjJsdUlpd2lZMnhwWlc1MFNXUWlPaUl6YlRWMWJESnlZV3M0Wkc4d2NYQndNMnh2WVRCMk1HZG5ieUlzSW5KbFpHbHlaV04wVlZKSklqb2lhSFIwY0hNNkx5OW5aWFIwYVc1bkxYTjBZWEowWldRdWJtVjBkMjl5YTJSbFptVnVjMlZ5WVc1blpTNXBieTl2WVhWMGFESXZhV1J3Y21WemNHOXVjMlVpTENKeVpYTndiMjV6WlZSNWNHVWlPaUpqYjJSbElpd2ljSEp2ZG1sa1pYSlVlWEJsSWpvaVQwbEVReUlzSW5OamIzQmxjeUk2V3lKdmNHVnVhV1FpWFN3aWMzUmhkR1VpT2lKMFZ6SlpWRTVxZUhWSmFHdGFTSFl5VjJVMldIRlNhR3BqWm5SSk1ESTNNRGRjWEM5M1lsbEJabFYFWlZCdU1WRnpjbkJqYm5KTFptUllTWEJCT0V4a1NVOVBZV1J1Y210V1RVSmpVMkZxTjBKUFIwYzJNbEIyTkdNNGJYTk5UMm8xYUVSVllUZHhiVGxSZFRKR1VubFphRUoyTURkWVFVeHBOV3R4VjNOUE1XNVVLMXBuZUhOQk5UQlVNRzlsWm1neFZWZHlSVTl1UTNoMFdtZG9OMWhzUm05b1FVVndXbU51WVVwTVNsQjFWMFpNZEd4SGJsTXhTVFZKVjFKNVRuRjVOelZLYzBkeGJWRm9VbFppTlNJc0ltTnZaR1ZEYUdGc2JHVnVaMlVpT201MWJHd3NJbU52WkdWRGFHRnNiR1Z1WjJWTlpYUm9iMlFpT201MWJHd3NJbTV2Ym1ObElqb2lVR05PUVhNNFYzZEdhRmx0TUhaNk0xVkljbUZ5UW1oblJWUnZNMmhKTTNkbWVraEJlRTQzU0UxcFExTk5jWE40WmpFeVpIbDNTRlZFTWtkRWVuQTJUVEI0VkVod1FuTXdSbWR3VG05NFFYbFdSMWRDTFd4Mk9VaEtUMjFQUXpGdFVYWkdlR2QwUVU1Tk1WTkdRMk5mYUU1RVEwSjZPSGxNVjI5SFRHZG1kMjFGYTFkS1VtVllVVEJHYW5SUVVXVTJUMDF6UW5kamEyNVRkVTlITmxOUlNqTlBNelJDTUhZMWExSmpJaXdpYzJWeWRtVnlTRzl6ZEZCdmNuUWlPaUp5WldOdmJpMXVaSEl1WVhWMGFDNTFjeTFsWVhOMExURXVZVzFoZW05dVkyOW5ibWwwYnk1amIyMGlMQ0pqY21WaGRHbHZibFJwYldWVFpXTnZibVJ6SWpveE5UZzRPRGsyTlRjNExDSnpaWE56YVc5dUlqcHVkV3hzTENKMWMyVnlRWFIwY21saWRYUmxjeUk2Ym5Wc2JDd2lhWE5UZEdGMFpVWnZja3hwYm10cGJtYFRaWE56YVc5dUlqcG1ZV3h6WlgwPTpEZUlBakdZYzRZZXhsTlBXeGYva29YNVYxNUc4OFMwU2tXTlIxR3lUSEY0PToz&timezone=America%2FNew_York&metaData.device.name=Linux%20Chrome&metaData.device.type=BROWSER&code_challenge=&code_challenge_method=&user_code=

07-May-2020 21:43:25.129 INFO [https-jsse-nio-9013-exec-7] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
 Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
    java.lang.IllegalArgumentException: Request header is too large
        at org.apache.coyote.http11.Http11InputBuffer.parseHeaders(Http11InputBuffer.java:589)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:700)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)

Wondering if increasing the max HTTP header size in the Tomcat server config would be a fix or a bandaid on an underlying issue

Steps to reproduce

1. Log in via magic link, clean session
2. Wait a couple hours, no activity
3. Bring up page that requires auth and request magic link
4. See error

Expected behavior

To be sent to the page with the email form to receive the magic link

Screenshots

Platform

(Please complete the following information)

• Device: Only tested Macbook so far
• OS: Only tested Mac so far
• Browser: Only tested Chrome so far

[robotdan]

When this occurs, can you capture the request headers out of the browser debugger?

Also, if you can grab the exception in the FusionAuth logs that would be helpful as well. /usr/local/fusionauth/logs.

Tomcat has a default maxHttpHeaderSize of 8k, so perhaps we are hitting that limit. If you can recreate easily, you could try increasing this value to see if it alleviates the issue. That would tell us if we are on the right track.

https://tomcat.apache.org/tomcat-8.5-doc/config/http.html

[shortstack]

thank you! grabbing shortly

[shortstack]

the exception i see in the logs is what i pasted above

i am an idiot and didn't grab the headers (outside of the params in the links above) before i implemented the change in tomcat

i did, however, see that the request size for https://REDACTED/oauth2/authorize was 13k and the request size for https://REDACTED?tenantId=REDACTED/oauth2/passwordless was 2k

i bumped up the maxHttpHeaderSize in server.xml for the HTTP and HTTPS connectors and restarted, and i can no longer replicate the issue, which i was able to do several times previous to making the change

i'm going to try again in a little while and see if i can continue to break it

you said "That would tell us if we are on the right track." -- do you suspect this is only a bandaid and that there is another issue? or is it just that much header/session data? there is also an AWS ALB session cookie being sent since this is behind an ALB

08-May-2020 01:27:58.511 INFO [https-jsse-nio-9013-exec-3] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
 Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
    java.lang.IllegalArgumentException: Request header is too large
        at org.apache.coyote.http11.Http11InputBuffer.parseHeaders(Http11InputBuffer.java:589)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:700)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
08-May-2020 01:28:22.188 INFO [https-jsse-nio-9013-exec-4] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
 Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
    java.lang.IllegalArgumentException: Request header is too large
        at org.apache.coyote.http11.Http11InputBuffer.parseHeaders(Http11InputBuffer.java:589)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:700)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)

[robotdan]

do you suspect this is only a bandaid and that there is another issue?

No, not necessarily. It could just be your use case is producing a huge request header of some sort. It is larger than I would expect, but increasing the size may be a decent solution.

For it to a be permanent solution, we'd have have to ship Tomcat with this configuration, or provide some configuration option. I found a bunch of StackOverflow threads that indicate people just bump it up to 32k or 64k. I think in theory there is some additional risk of DDOS when this value is allowed to be un-necessarily large.

I did also notice that between older and newer version of Tomcat they have changed the default from 4k to 8k, and yet other articles indicate if you're using kerberos or similar tech that you may need to bump the max to 32k. This all seems to indicate that the "reasonable" size is getting bigger as we find more uses for HTTP headers.

Perhaps with all of the state values that get passed around the default of 8k is too small.

The state value that is on that URL looks to be double Base64 encoded, so not sure what is happening there. We may have to attempt to recreate, but if you can collect the headers from the browser debugger that would be helpful.

there is also an AWS ALB session cookie being sent since this is behind an ALB

With regards to seeing the full headers, I'm mainly interested to see if that is all on the request itself, or if there is a Set-Cookie header that is adding to the length of the total request. This sounds like there may be several cookies adding to the length of the request headers.

Related info on max header sizes https://help.heroku.com/TQ80D553/why-do-i-get-a-400-bad-request-response-when-i-have-large-cookies https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/how-elastic-load-balancing-works.html

In summary, I think your workaround to increase the max size seems reasonable. We'll review to see if we want to increase this in our shipped configuration and perhaps if we should expose this configuration in case it needs to be modified in the field.

Thanks for testing the workaround.

[shortstack]

yes, definitely--one of my first thoughts was how does bumping this up affect potential for another attack vector, but if it's required with so much data... might not be an option. i also noticed the default, because i was initially looking at 8.0 but then realized FA is on 8.5. figured surely that would be enough but, maybe not.

the ALB session data especially is about as big as the session data in the requests i posted above. this might be an edge case since multiple layers but we surely can't be the only people using FA as an IDP behind cognito.

will post headers later! thank you much for your help!

[shortstack]

/oauth2/authorize

Request Size: 13.4 kB

Request headers

:authority: REDACTED

:method: GET

:path: /oauth2/authorize?client_id=REDACTED&redirect_uri=REDACTED&scope=openid&response_type=code&state=ZXlKMWMyVnlVRzl2YkVsa0lqb2lkWE10WldGemRDMHhYMmxIV0RCaGFUSk5UQ0lzSW5CeWIzWnBaR1Z5VG1GdFpTSTZJa3h2WjJsdUlpd2lZMnhwWlc1MFNXUWlPaUl6YlRWMWJESnlZV3M0Wkc4d2NYQndNMnh2WVRCMk1HZG5ieUlzSW5KbFpHbHlaV04wVlZKSklqb2lhSFIwY0hNNkx5OW5jbUY1Ykc5bkxtNWxkSGR2Y210a1pXWmxibk5sY21GdVoyVXVhVzh2YjJGMWRHZ3lMMmxrY0hKbGMzQnZibk5sSWl3aWNtVnpjRzl1YzJWVWVYQmxJam9pWTI5a1pTSXNJbkJ5YjNacFpHVnlWSGx3WlNJNklrOUpSRU1pTENKelkyOXdaWE1pT2xzaWIzQmxibWxrSWwwc0luTjBZWFJsSWpvaWJYaEtVbGN6ZW1wMmNrSnFWU3MyTVZWR1JGTlZUamx4WXpaTlZVUjRUVmhxUVU5R2NITXdUMVZVYmpWc05WZHNOR3cxWkhKWlFXcFFlbmR2UVZJeFVGWTNXa1JwZHpoM2EyaGhRVWhsUVRkdFNWSlRiRWhYYUdkQldGaGhjREZRWmpaMGJVUndRa0ZPYmxwS1JHTlNaME5IYmpoSWN6SnBObnBGUjNCaVMydzFXR0V4VUdaSlZuQXJOMXhjTDJKcFMxZHFaMEpGT1V0RFkxZDJkVTVMYTJSMlQyUXpUelJaZFdkTVJWUjBSRU0xVm1wdlNuaFFWRFZ0VGpSb2JXeFJaR0pSWkdJcllqVlhNMmh3VEc4aUxDSmpiMlJsUTJoaGJHeGxibWRsSWpwdWRXeHNMQ0pqYjJSbFEyaGhiR3hsYm1kbFRXVjBhRzlrSWpwdWRXeHNMQ0p1YjI1alpTSTZJbGwzT1d4T09WODNNV3RSYkZGUldGVTJRbGxCWlRsQldWUnBTVFJPTXkwdGRVeHFRMFpmWDJwR2RIWm1kVkZ2TjFwUk9HOXNWalJ2WWtKR1dIWnZkRlUxYzFaQlJsOWZTVVZ3YVRSR2MxSk1kRXBTUzNjeE9WVXhYemg2UTNoNmRFcE5kRGRXV25ORU4yNUlhblZDYUhSWlZIbHBSM1pGWkVkbWVYVkdRM1ZJZVRWYWMwaG1Zamh6VmtwemVUTXRNV28yZVZGUWNXVkZja2Q0YjJOdk4wTk5URTVJYjNWQloyOHhjeUlzSW5ObGNuWmxja2h2YzNSUWIzSjBJam9pY21WamIyNHRibVJ5TG1GMWRHZ3VkWE10WldGemRDMHhMbUZ0WVhwdmJtTnZaMjVwZEc4dVkyOXRJaXdpWTNKbFlYUnBiMjVVYVcxbFUyVmpiMjVrY3lJNk1UVTRPRGsxTmprMU1Td2ljMlZ6YzJsdmJpSTZiblZzYkN3aWRYTmxja0YwZEhKcFluVjBaWE1pT201MWJHd3NJbWx6VTNSaGRHVkdiM0pNYVc1cmFXNW5VMlZ6YzJsdmJpSTZabUZzYzJWOTpaTXZrRjljaG1OUlRVM05ZbkM5RVJqdlRmWG4zaWJ5bDA1RGVTUWR4Ym5zPToz

:scheme: https

accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9

accept-encoding: gzip, deflate, br

accept-language: en-US,en;q=0.9

cache-control: no-cache

cookie: fusionauth.locale=enUS; fusionauth.trust=00-NsVPD3RMMRad31wAhoc_BNWAS8XB7BbqI273XKI; AWSELBAuthSessionCookie-0=ErfYgwAxJ0tG+iU6xd7LfUOqXRvQBUgxBS6gLmxhwmkp5QwIDy/mnwZmLMwznLLUqhKSCzZzl/VFYO6fwFN3XNjr8RpqTnJUlb+ypDL334N5IFv/zmOyLShan8qB+9nW9sjz7qgdUewB78mDQYHANXBMbDwCAXFldCHvSsoQ8cHg4OeQgi/PoHcb3lgrbyhXYIcnfuvNr4CBeD9VapNfKAC2A8RXKD+Tlyl/jzRJHWSaLnhskXwr6/8nq5kgc7EQSSdkT0iQX0b1SwiKrPXmS/HCo4BdLMQfOBaxZT4JOaufshMYCViKZcRRnIzS6nzxKAxBlyfZnye7A53rLsWzZhtNmNnjD1k2Ix6rhTG2g37beUUhvQZlrUtnqxVHOMdtHaaQLWqlrXgaOhU0rDZdR2V/uMu0tBnQ0Ck+lWEYufF22nHOfw/ibwKBvRfnujhjIOJCFG+0JQ1CZVStY7WdYFYBpge6MVepZ8f7OBXniEfuHPi3NDUHyoe03fZqkklhmhfrPPKNekM/xjvRkXp7qi19FbeR7oOhK6ltZ++9eQ0LudbuB/i+TXMwOo4stdclkME4+25zBuzrKYJ5iUZqpo5zIsYyy382qj3PZ5+Xy2ReOzoX7Qrr8CVtDbrEBgVO0VUc+Et8Rws1y50FM8zpyXaMODj35egoOPC30xSkTnO/CIQI9ScrUqI6iJv+zd3GhGqxgAApqdX9qvf1vq7BYZvBS8g2OIKlV2aMlc987Kf9DHB9xLYYe9vJ+vhMbzBVWkX/NM5aBNDGuBnMuba9eeiLxOush30ZNoT5UwifXGq9WYT+WsWSypfU1DacSWkKph5OvXLLg3DZk2zpyHp3Qv4Pgk7riFsSF/58WdkM9G+10BwP2Vo7vCMNG0Blxgc6kumxdYLptlbx/ZxEVYTk1XwGvtQVGBNW5QJki+RcMKG6sms1lj7q2BydOHEuv8Ie0uhYF42SFpA+L3HAzMXcCiGITVm50V5MPjf7prCaVKaKbaRNXpHXI2bwULIUfG0KM0AQ/CFzwFyP+OQJJHriPBPRuN8NfmniVnEu+GtQ08s7BPr7rpLEnm+0qZOaY7+26Sdh+tldVlod0KZmfdgGm+UoQVeNGqI3y14YRiGqsGI+3IN5JrCJ2tg6VYE+Y6FBVct/p8dL6mezhwjj+Cqmpn52juPDthvSttBs7sbkXjIdoHqvaJc2H8Fmmx/duJ76bwGeq1B/MvSKOIxSqgRlYiCQiisY4m9CVnjgGzyQRuY7pMvsJi4rB6j+wQG9wNIVtYspWO3bKfbiJWmXi16cVZkQovUaLXUkc2b1fUXet1G6vXM9w6YELCBDERX/lztuOHzNJr3SkA30mPDZTfQsBGeStY53Gh23CmwUsGzLTNeNgAHoumpfAQiV0O9sg39jl5YztEkCDL7u+TgVmMM649kWewlQqoYkNQlxMFbTralgR0a2kXlZ+XnvOx5mMFopuAS18hOKFxqYPUhgKtuTDx9t57zoScqWurpbQFjdNuxhEYKovEAG1Q2H9LgJAkPB2u9YFFQsyoIABUodw54xY6pyu3usv9DIEfrDrQ3fJvXDPlqFdHgll9U+0WyoQL+hghoXYDlyIlOEFIVr/UzPN8J+ytSPNw6JJI8LYwxeXeQ6I5RJ6sN2IsKeE7zpVG7CwmYGDV1KswNR7K53NKK8XfzOftXq4xO7Pk59nsFbVt7Obh5hFl29jAmavh93yxIFNc/yLuKRoQpGA0izsh8H6y0VAvQV5m6MwvijtD5S570nV2VAUcea9OaE9Oanp3QtScavkkCOJF03pXcxPtz96TBgJEnO2fp6juKyyZy6i7qxHGrl56mGM9X6nMU0jch2rQxU98z4dkiKwfeDd8iWr0MVKIuAa7tWvgX1zamB9C0LPERtpB3izgRLToE9pKPZA1fT9gY7JBpcqySuQAcrL2Ky43PjB0RQfH1hpXvQqGgJaqzzjVt7+5mlFszEZvRuMkTv6YKQpyOu5W4hCbk9X7wfFcC5RgLGmIS6+VZHepPVcQmxE1qDP+QjKoqRn7DYTW0halz31jCFvjCiYC0bn4EhPiY90GA73HsqlbVC9JRPccygPuxr44wgUJUFYeSdvh3VZIABPltYcHZ4FS+gpBSvN0YosdzLWHUMZ62KFrK3mHwHRL9fmvoHw2M7HIPrJ52TSp0gnK9oRd58sLV9nwenAQu5yZwWnSAvOuMOJyTqZ+maBzEmddW56kXxrbKVGbdNGersrDBb9kQmd9J6CCcMsDkols2P7g5gl2ap5tAjnqsoHWmnz0oofso4xoJ1HS+SkdBzrNOXciqPltIsGtCa2RD2SeY118JED9wAEnpoAaZHtDsXju1mnh4DMTPnXN7oTSfYOmqvbnZuIt4SFiSo2bfhJdBILDCGHLChufAho2PkelT7eemqml+v87hdDjSNp6FJik0FX/mdaqRVkFnSYDpBVtpcjV4exyLOzvZXiI/AmrSNdIXGvJsCs7seAAiFpaSlPpd9QqfLB3u2iXkQDskWSDhPi9OORQuuxkMa+UQjpwwxeQot6SzJXtSRFFFS6eCJALfodS7w8axqR3x2f96tuY4KELR7IUChVOjAZag+vDY3QZAH9/8GmCmLfZUWHbtOdOx9PgmiH4YBujf2nyJ2KhCxx4gCjqZQEeG1giDWGnCcNITO9s5sy8gAF3ST3rlpXC4I9Bvt6mzj5JruIY6dotgsH/dbkzWHmuCLFobc5lCDqgEj5zcfJA3KEIQbXqvGYM+sClamtioUgvQ3m0O5PLI+wgmgnN9Nl3Iiwccthj8kE9rugbgih10eQQ5vBCoeyJPejr+AZYQk6DqM8rtC4+tgenXApVOjDxgjd28ld8/160blv+Inj8yxMWBF+rmR+OqMBeGRjNqckXLnwS940VrbTGZTRLYoSEGvtMrx5DlKs4ONNHxNW3AlWSffR9St7aRhPkABm/Fwl37AqYOmNEEX0VsA9OeBQ8HX6uD+PaCf6R42jwd96DDp3fbLHyiE7Wp8dml8AyLJQycLRUZ6M1CVuoyFqMlPcnYGIMgTld45CDKgNdHiAqFKzRzZMAHEigxbOFO36ZQpHhzLkBK9V7+uRkJNYqVzyji3pTba7wbwPXCWjYubAa/rEg8IsC9ye1MAvtQkoYB+e0yTHLYQCiUHM0XevA4L5jrplvJE4VEeGnn3IpPYWJ1WWTy8Ys1AH++FhPfjwmcU2lXE8+UIHbAt9cEk8GxdEyjqVU2ZtalyrqGUK/WabhiPysoKIkJGT8oTtUbPWrj6q899ATsmOpwXKN3JfsiHJINxWck854/Rl+m7dYpphkt7bjHue/iOK4E2kIFkxUb2hGCsC0dV58FpmKUzG6o+n3WCgtymi79RuXPYn7lTGSKqWXPhI36wvXGSZXnRdgDvDyq1NJ0gPCOjCo8/VZX5p2zoVSC1sZEO4aBrhBNWB79nTvXEBHCXmi+noNVoEbBXJuAkiVpVUWQXurd3qYhKPXnNPkkcpm0jPmyMYCxP3SozP2j3Kb3TUQy166GSS2oYmSdeXoQQPibLlazoeXhfmAF7UKOHwWKf1C1z382893ULpRiyVyAfeTMPNEGc5EUSQrQXC1nm4MLI0vXFAsMX8DjhETdzM5RDgBS1G9aqaBrJgWAH/4ABVeMqKaJHS51OBiWD2YEAI2P5Wk/0X0KnQqR5xWiy701DvKdWdLwhLPEp6em7rQfFahB9ClFoSykUS+n0mtTPlzApRNza+rL5CNl58KtQZ0tfcbDy8IS46P8DquRG9F0wVdiUlG9hgS/+RuA/LyM9lmF10uKdSm/fyeGnH+IBKwocZPvKJ2eWiEWEWrdx0YuPOQYC5HB0DkjLMee/W86sH3BdsnrbmU495/JIpkw0JwvnkBDdycVYZj0fBTKtkkK2iXDI3fJS8BQ6Tel7y7Krofpcl0PE2GJezzqwNExaVnwK2ZiQsU843DI3YmA8EOBaRyLhFm+a; AWSELBAuthSessionCookie-1=IJpuSORQQdVVOiGwQKa0sEt+MW4uUG2kpvD51IzEYuPujAuNFetNIpbkO07vEj5H66QygZ+sJE98w8Gn7SzhZniEddYklS6pb6bVBDVHShxEHqvB0RN8YWsLFxWELidMbZ92hXyl80V2; JSESSIONID=786CA5C70CBDD087B42DFA4999685F52

dnt: 1

pragma: no-cache

sec-fetch-dest: document

sec-fetch-mode: navigate

sec-fetch-site: none

sec-fetch-user: ?1

upgrade-insecure-requests: 1

user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36

Query string params

client_id: REDACTED

redirect_uri: REDACTED

scope: openid

response_type: code

state: ZXlKMWMyVnlVRzl2YkVsa0lqb2lkWE10WldGemRDMHhYMmxIV0RCaGFUSk5UQ0lzSW5CeWIzWnBaR1Z5VG1GdFpTSTZJa3h2WjJsdUlpd2lZMnhwWlc1MFNXUWlPaUl6YlRWMWJESnlZV3M0Wkc4d2NYQndNMnh2WVRCMk1HZG5ieUlzSW5KbFpHbHlaV04wVlZKSklqb2lhSFIwY0hNNkx5OW5jbUY1Ykc5bkxtNWxkSGR2Y210a1pXWmxibk5sY21GdVoyVXVhVzh2YjJGMWRHZ3lMMmxrY0hKbGMzQnZibk5sSWl3aWNtVnpjRzl1YzJWVWVYQmxJam9pWTI5a1pTSXNJbkJ5YjNacFpHVnlWSGx3WlNJNklrOUpSRU1pTENKelkyOXdaWE1pT2xzaWIzQmxibWxrSWwwc0luTjBZWFJsSWpvaWJYaEtVbGN6ZW1wMmNrSnFWU3MyTVZWR1JGTlZUamx4WXpaTlZVUjRUVmhxUVU5R2NITXdUMVZVYmpWc05WZHNOR3cxWkhKWlFXcFFlbmR2UVZJeFVGWTNXa1JwZHpoM2EyaGhRVWhsUVRkdFNWSlRiRWhYYUdkQldGaGhjREZRWmpaMGJVUndRa0ZPYmxwS1JHTlNaME5IYmpoSWN6SnBObnBGUjNCaVMydzFXR0V4VUdaSlZuQXJOMXhjTDJKcFMxZHFaMEpGT1V0RFkxZDJkVTVMYTJSMlQyUXpUelJaZFdkTVJWUjBSRU0xVm1wdlNuaFFWRFZ0VGpSb2JXeFJaR0pSWkdJcllqVlhNMmh3VEc4aUxDSmpiMlJsUTJoaGJHeGxibWRsSWpwdWRXeHNMQ0pqYjJSbFEyaGhiR3hsYm1kbFRXVjBhRzlrSWpwdWRXeHNMQ0p1YjI1alpTSTZJbGwzT1d4T09WODNNV3RSYkZGUldGVTJRbGxCWlRsQldWUnBTVFJPTXkwdGRVeHFRMFpmWDJwR2RIWm1kVkZ2TjFwUk9HOXNWalJ2WWtKR1dIWnZkRlUxYzFaQlJsOWZTVVZ3YVRSR2MxSk1kRXBTUzNjeE9WVXhYemg2UTNoNmRFcE5kRGRXV25ORU4yNUlhblZDYUhSWlZIbHBSM1pGWkVkbWVYVkdRM1ZJZVRWYWMwaG1Zamh6VmtwemVUTXRNV28yZVZGUWNXVkZja2Q0YjJOdk4wTk5URTVJYjNWQloyOHhjeUlzSW5ObGNuWmxja2h2YzNSUWIzSjBJam9pY21WamIyNHRibVJ5TG1GMWRHZ3VkWE10WldGemRDMHhMbUZ0WVhwdmJtTnZaMjVwZEc4dVkyOXRJaXdpWTNKbFlYUnBiMjVVYVcxbFUyVmpiMjVrY3lJNk1UVTRPRGsxTmprMU1Td2ljMlZ6YzJsdmJpSTZiblZzYkN3aWRYTmxja0YwZEhKcFluVjBaWE1pT201MWJHd3NJbWx6VTNSaGRHVkdiM0pNYVc1cmFXNW5VMlZ6YzJsdmJpSTZabUZzYzJWOTpaTXZrRjljaG1OUlRVM05ZbkM5RVJqdlRmWG4zaWJ5bDA1RGVTUWR4Ym5zPToz

---

/oauth2/passwordless

Request Size: 8.1 kB

Request headers

:authority: REDACTED

:method: GET

:path: /oauth2/passwordless?tenantId=REDACTED&client_id=REDACTED&nonce=&redirect_uri=REDACTED&response_mode=&response_type=code&scope=openid&state=ZXlKMWMyVnlVRzl2YkVsa0lqb2lkWE10WldGemRDMHhYMmxIV0RCaGFUSk5UQ0lzSW5CeWIzWnBaR1Z5VG1GdFpTSTZJa3h2WjJsdUlpd2lZMnhwWlc1MFNXUWlPaUl6YlRWMWJESnlZV3M0Wkc4d2NYQndNMnh2WVRCMk1HZG5ieUlzSW5KbFpHbHlaV04wVlZKSklqb2lhSFIwY0hNNkx5OW5jbUY1Ykc5bkxtNWxkSGR2Y210a1pXWmxibk5sY21GdVoyVXVhVzh2YjJGMWRHZ3lMMmxrY0hKbGMzQnZibk5sSWl3aWNtVnpjRzl1YzJWVWVYQmxJam9pWTI5a1pTSXNJbkJ5YjNacFpHVnlWSGx3WlNJNklrOUpSRU1pTENKelkyOXdaWE1pT2xzaWIzQmxibWxrSWwwc0luTjBZWFJsSWpvaWJYaEtVbGN6ZW1wMmNrSnFWU3MyTVZWR1JGTlZUamx4WXpaTlZVUjRUVmhxUVU5R2NITXdUMVZVYmpWc05WZHNOR3cxWkhKWlFXcFFlbmR2UVZJeFVGWTNXa1JwZHpoM2EyaGhRVWhsUVRkdFNWSlRiRWhYYUdkQldGaGhjREZRWmpaMGJVUndRa0ZPYmxwS1JHTlNaME5IYmpoSWN6SnBObnBGUjNCaVMydzFXR0V4VUdaSlZuQXJOMXhjTDJKcFMxZHFaMEpGT1V0RFkxZDJkVTVMYTJSMlQyUXpUelJaZFdkTVJWUjBSRU0xVm1wdlNuaFFWRFZ0VGpSb2JXeFJaR0pSWkdJcllqVlhNMmh3VEc4aUxDSmpiMlJsUTJoaGJHeGxibWRsSWpwdWRXeHNMQ0pqYjJSbFEyaGhiR3hsYm1kbFRXVjBhRzlrSWpwdWRXeHNMQ0p1YjI1alpTSTZJbGwzT1d4T09WODNNV3RSYkZGUldGVTJRbGxCWlRsQldWUnBTVFJPTXkwdGRVeHFRMFpmWDJwR2RIWm1kVkZ2TjFwUk9HOXNWalJ2WWtKR1dIWnZkRlUxYzFaQlJsOWZTVVZ3YVRSR2MxSk1kRXBTUzNjeE9WVXhYemg2UTNoNmRFcE5kRGRXV25ORU4yNUlhblZDYUhSWlZIbHBSM1pGWkVkbWVYVkdRM1ZJZVRWYWMwaG1Zamh6VmtwemVUTXRNV28yZVZGUWNXVkZja2Q0YjJOdk4wTk5URTVJYjNWQloyOHhjeUlzSW5ObGNuWmxja2h2YzNSUWIzSjBJam9pY21WamIyNHRibVJ5TG1GMWRHZ3VkWE10WldGemRDMHhMbUZ0WVhwdmJtTnZaMjVwZEc4dVkyOXRJaXdpWTNKbFlYUnBiMjVVYVcxbFUyVmpiMjVrY3lJNk1UVTRPRGsxTmprMU1Td2ljMlZ6YzJsdmJpSTZiblZzYkN3aWRYTmxja0YwZEhKcFluVjBaWE1pT201MWJHd3NJbWx6VTNSaGRHVkdiM0pNYVc1cmFXNW5VMlZ6YzJsdmJpSTZabUZzYzJWOTpaTXZrRjljaG1OUlRVM05ZbkM5RVJqdlRmWG4zaWJ5bDA1RGVTUWR4Ym5zPToz&timezone=America%2FNew_York&metaData.device.name=Mac%20Chrome&metaData.device.type=BROWSER&code_challenge=&code_challenge_method=&user_code=

:scheme: https

accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9

accept-encoding: gzip, deflate, br

accept-language: en-US,en;q=0.9

cache-control: no-cache

cookie: fusionauth.locale=enUS; fusionauth.trust=00-NsVPD3RMMRad31wAhoc_BNWAS8XB7BbqI273XKI; AWSELBAuthSessionCookie-0=ErfYgwAxJ0tG+iU6xd7LfUOqXRvQBUgxBS6gLmxhwmkp5QwIDy/mnwZmLMwznLLUqhKSCzZzl/VFYO6fwFN3XNjr8RpqTnJUlb+ypDL334N5IFv/zmOyLShan8qB+9nW9sjz7qgdUewB78mDQYHANXBMbDwCAXFldCHvSsoQ8cHg4OeQgi/PoHcb3lgrbyhXYIcnfuvNr4CBeD9VapNfKAC2A8RXKD+Tlyl/jzRJHWSaLnhskXwr6/8nq5kgc7EQSSdkT0iQX0b1SwiKrPXmS/HCo4BdLMQfOBaxZT4JOaufshMYCViKZcRRnIzS6nzxKAxBlyfZnye7A53rLsWzZhtNmNnjD1k2Ix6rhTG2g37beUUhvQZlrUtnqxVHOMdtHaaQLWqlrXgaOhU0rDZdR2V/uMu0tBnQ0Ck+lWEYufF22nHOfw/ibwKBvRfnujhjIOJCFG+0JQ1CZVStY7WdYFYBpge6MVepZ8f7OBXniEfuHPi3NDUHyoe03fZqkklhmhfrPPKNekM/xjvRkXp7qi19FbeR7oOhK6ltZ++9eQ0LudbuB/i+TXMwOo4stdclkME4+25zBuzrKYJ5iUZqpo5zIsYyy382qj3PZ5+Xy2ReOzoX7Qrr8CVtDbrEBgVO0VUc+Et8Rws1y50FM8zpyXaMODj35egoOPC30xSkTnO/CIQI9ScrUqI6iJv+zd3GhGqxgAApqdX9qvf1vq7BYZvBS8g2OIKlV2aMlc987Kf9DHB9xLYYe9vJ+vhMbzBVWkX/NM5aBNDGuBnMuba9eeiLxOush30ZNoT5UwifXGq9WYT+WsWSypfU1DacSWkKph5OvXLLg3DZk2zpyHp3Qv4Pgk7riFsSF/58WdkM9G+10BwP2Vo7vCMNG0Blxgc6kumxdYLptlbx/ZxEVYTk1XwGvtQVGBNW5QJki+RcMKG6sms1lj7q2BydOHEuv8Ie0uhYF42SFpA+L3HAzMXcCiGITVm50V5MPjf7prCaVKaKbaRNXpHXI2bwULIUfG0KM0AQ/CFzwFyP+OQJJHriPBPRuN8NfmniVnEu+GtQ08s7BPr7rpLEnm+0qZOaY7+26Sdh+tldVlod0KZmfdgGm+UoQVeNGqI3y14YRiGqsGI+3IN5JrCJ2tg6VYE+Y6FBVct/p8dL6mezhwjj+Cqmpn52juPDthvSttBs7sbkXjIdoHqvaJc2H8Fmmx/duJ76bwGeq1B/MvSKOIxSqgRlYiCQiisY4m9CVnjgGzyQRuY7pMvsJi4rB6j+wQG9wNIVtYspWO3bKfbiJWmXi16cVZkQovUaLXUkc2b1fUXet1G6vXM9w6YELCBDERX/lztuOHzNJr3SkA30mPDZTfQsBGeStY53Gh23CmwUsGzLTNeNgAHoumpfAQiV0O9sg39jl5YztEkCDL7u+TgVmMM649kWewlQqoYkNQlxMFbTralgR0a2kXlZ+XnvOx5mMFopuAS18hOKFxqYPUhgKtuTDx9t57zoScqWurpbQFjdNuxhEYKovEAG1Q2H9LgJAkPB2u9YFFQsyoIABUodw54xY6pyu3usv9DIEfrDrQ3fJvXDPlqFdHgll9U+0WyoQL+hghoXYDlyIlOEFIVr/UzPN8J+ytSPNw6JJI8LYwxeXeQ6I5RJ6sN2IsKeE7zpVG7CwmYGDV1KswNR7K53NKK8XfzOftXq4xO7Pk59nsFbVt7Obh5hFl29jAmavh93yxIFNc/yLuKRoQpGA0izsh8H6y0VAvQV5m6MwvijtD5S570nV2VAUcea9OaE9Oanp3QtScavkkCOJF03pXcxPtz96TBgJEnO2fp6juKyyZy6i7qxHGrl56mGM9X6nMU0jch2rQxU98z4dkiKwfeDd8iWr0MVKIuAa7tWvgX1zamB9C0LPERtpB3izgRLToE9pKPZA1fT9gY7JBpcqySuQAcrL2Ky43PjB0RQfH1hpXvQqGgJaqzzjVt7+5mlFszEZvRuMkTv6YKQpyOu5W4hCbk9X7wfFcC5RgLGmIS6+VZHepPVcQmxE1qDP+QjKoqRn7DYTW0halz31jCFvjCiYC0bn4EhPiY90GA73HsqlbVC9JRPccygPuxr44wgUJUFYeSdvh3VZIABPltYcHZ4FS+gpBSvN0YosdzLWHUMZ62KFrK3mHwHRL9fmvoHw2M7HIPrJ52TSp0gnK9oRd58sLV9nwenAQu5yZwWnSAvOuMOJyTqZ+maBzEmddW56kXxrbKVGbdNGersrDBb9kQmd9J6CCcMsDkols2P7g5gl2ap5tAjnqsoHWmnz0oofso4xoJ1HS+SkdBzrNOXciqPltIsGtCa2RD2SeY118JED9wAEnpoAaZHtDsXju1mnh4DMTPnXN7oTSfYOmqvbnZuIt4SFiSo2bfhJdBILDCGHLChufAho2PkelT7eemqml+v87hdDjSNp6FJik0FX/mdaqRVkFnSYDpBVtpcjV4exyLOzvZXiI/AmrSNdIXGvJsCs7seAAiFpaSlPpd9QqfLB3u2iXkQDskWSDhPi9OORQuuxkMa+UQjpwwxeQot6SzJXtSRFFFS6eCJALfodS7w8axqR3x2f96tuY4KELR7IUChVOjAZag+vDY3QZAH9/8GmCmLfZUWHbtOdOx9PgmiH4YBujf2nyJ2KhCxx4gCjqZQEeG1giDWGnCcNITO9s5sy8gAF3ST3rlpXC4I9Bvt6mzj5JruIY6dotgsH/dbkzWHmuCLFobc5lCDqgEj5zcfJA3KEIQbXqvGYM+sClamtioUgvQ3m0O5PLI+wgmgnN9Nl3Iiwccthj8kE9rugbgih10eQQ5vBCoeyJPejr+AZYQk6DqM8rtC4+tgenXApVOjDxgjd28ld8/160blv+Inj8yxMWBF+rmR+OqMBeGRjNqckXLnwS940VrbTGZTRLYoSEGvtMrx5DlKs4ONNHxNW3AlWSffR9St7aRhPkABm/Fwl37AqYOmNEEX0VsA9OeBQ8HX6uD+PaCf6R42jwd96DDp3fbLHyiE7Wp8dml8AyLJQycLRUZ6M1CVuoyFqMlPcnYGIMgTld45CDKgNdHiAqFKzRzZMAHEigxbOFO36ZQpHhzLkBK9V7+uRkJNYqVzyji3pTba7wbwPXCWjYubAa/rEg8IsC9ye1MAvtQkoYB+e0yTHLYQCiUHM0XevA4L5jrplvJE4VEeGnn3IpPYWJ1WWTy8Ys1AH++FhPfjwmcU2lXE8+UIHbAt9cEk8GxdEyjqVU2ZtalyrqGUK/WabhiPysoKIkJGT8oTtUbPWrj6q899ATsmOpwXKN3JfsiHJINxWck854/Rl+m7dYpphkt7bjHue/iOK4E2kIFkxUb2hGCsC0dV58FpmKUzG6o+n3WCgtymi79RuXPYn7lTGSKqWXPhI36wvXGSZXnRdgDvDyq1NJ0gPCOjCo8/VZX5p2zoVSC1sZEO4aBrhBNWB79nTvXEBHCXmi+noNVoEbBXJuAkiVpVUWQXurd3qYhKPXnNPkkcpm0jPmyMYCxP3SozP2j3Kb3TUQy166GSS2oYmSdeXoQQPibLlazoeXhfmAF7UKOHwWKf1C1z382893ULpRiyVyAfeTMPNEGc5EUSQrQXC1nm4MLI0vXFAsMX8DjhETdzM5RDgBS1G9aqaBrJgWAH/4ABVeMqKaJHS51OBiWD2YEAI2P5Wk/0X0KnQqR5xWiy701DvKdWdLwhLPEp6em7rQfFahB9ClFoSykUS+n0mtTPlzApRNza+rL5CNl58KtQZ0tfcbDy8IS46P8DquRG9F0wVdiUlG9hgS/+RuA/LyM9lmF10uKdSm/fyeGnH+IBKwocZPvKJ2eWiEWEWrdx0YuPOQYC5HB0DkjLMee/W86sH3BdsnrbmU495/JIpkw0JwvnkBDdycVYZj0fBTKtkkK2iXDI3fJS8BQ6Tel7y7Krofpcl0PE2GJezzqwNExaVnwK2ZiQsU843DI3YmA8EOBaRyLhFm+a; AWSELBAuthSessionCookie-1=IJpuSORQQdVVOiGwQKa0sEt+MW4uUG2kpvD51IzEYuPujAuNFetNIpbkO07vEj5H66QygZ+sJE98w8Gn7SzhZniEddYklS6pb6bVBDVHShxEHqvB0RN8YWsLFxWELidMbZ92hXyl80V2; JSESSIONID=786CA5C70CBDD087B42DFA4999685F52

dnt: 1

pragma: no-cache

referer: https://REDACTED?client_id=REDACTED&redirect_uri=REDACTED&scope=openid&response_type=code&state=ZXlKMWMyVnlVRzl2YkVsa0lqb2lkWE10WldGemRDMHhYMmxIV0RCaGFUSk5UQ0lzSW5CeWIzWnBaR1Z5VG1GdFpTSTZJa3h2WjJsdUlpd2lZMnhwWlc1MFNXUWlPaUl6YlRWMWJESnlZV3M0Wkc4d2NYQndNMnh2WVRCMk1HZG5ieUlzSW5KbFpHbHlaV04wVlZKSklqb2lhSFIwY0hNNkx5OW5jbUY1Ykc5bkxtNWxkSGR2Y210a1pXWmxibk5sY21GdVoyVXVhVzh2YjJGMWRHZ3lMMmxrY0hKbGMzQnZibk5sSWl3aWNtVnpjRzl1YzJWVWVYQmxJam9pWTI5a1pTSXNJbkJ5YjNacFpHVnlWSGx3WlNJNklrOUpSRU1pTENKelkyOXdaWE1pT2xzaWIzQmxibWxrSWwwc0luTjBZWFJsSWpvaWJYaEtVbGN6ZW1wMmNrSnFWU3MyTVZWR1JGTlZUamx4WXpaTlZVUjRUVmhxUVU5R2NITXdUMVZVYmpWc05WZHNOR3cxWkhKWlFXcFFlbmR2UVZJeFVGWTNXa1JwZHpoM2EyaGhRVWhsUVRkdFNWSlRiRWhYYUdkQldGaGhjREZRWmpaMGJVUndRa0ZPYmxwS1JHTlNaME5IYmpoSWN6SnBObnBGUjNCaVMydzFXR0V4VUdaSlZuQXJOMXhjTDJKcFMxZHFaMEpGT1V0RFkxZDJkVTVMYTJSMlQyUXpUelJaZFdkTVJWUjBSRU0xVm1wdlNuaFFWRFZ0VGpSb2JXeFJaR0pSWkdJcllqVlhNMmh3VEc4aUxDSmpiMlJsUTJoaGJHeGxibWRsSWpwdWRXeHNMQ0pqYjJSbFEyaGhiR3hsYm1kbFRXVjBhRzlrSWpwdWRXeHNMQ0p1YjI1alpTSTZJbGwzT1d4T09WODNNV3RSYkZGUldGVTJRbGxCWlRsQldWUnBTVFJPTXkwdGRVeHFRMFpmWDJwR2RIWm1kVkZ2TjFwUk9HOXNWalJ2WWtKR1dIWnZkRlUxYzFaQlJsOWZTVVZ3YVRSR2MxSk1kRXBTUzNjeE9WVXhYemg2UTNoNmRFcE5kRGRXV25ORU4yNUlhblZDYUhSWlZIbHBSM1pGWkVkbWVYVkdRM1ZJZVRWYWMwaG1Zamh6VmtwemVUTXRNV28yZVZGUWNXVkZja2Q0YjJOdk4wTk5URTVJYjNWQloyOHhjeUlzSW5ObGNuWmxja2h2YzNSUWIzSjBJam9pY21WamIyNHRibVJ5TG1GMWRHZ3VkWE10WldGemRDMHhMbUZ0WVhwdmJtTnZaMjVwZEc4dVkyOXRJaXdpWTNKbFlYUnBiMjVVYVcxbFUyVmpiMjVrY3lJNk1UVTRPRGsxTmprMU1Td2ljMlZ6YzJsdmJpSTZiblZzYkN3aWRYTmxja0YwZEhKcFluVjBaWE1pT201MWJHd3NJbWx6VTNSaGRHVkdiM0pNYVc1cmFXNW5VMlZ6YzJsdmJpSTZabUZzYzJWOTpaTXZrRjljaG1OUlRVM05ZbkM5RVJqdlRmWG4zaWJ5bDA1RGVTUWR4Ym5zPToz

sec-fetch-dest: document

sec-fetch-mode: navigate

sec-fetch-site: same-origin

sec-fetch-user: ?1

upgrade-insecure-requests: 1

user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36

tenantId: REDACTED

Query string params

client_id: REDACTED

nonce:

redirect_uri: https://REDACTED

response_mode:

response_type: code

scope: openid

state: ZXlKMWMyVnlVRzl2YkVsa0lqb2lkWE10WldGemRDMHhYMmxIV0RCaGFUSk5UQ0lzSW5CeWIzWnBaR1Z5VG1GdFpTSTZJa3h2WjJsdUlpd2lZMnhwWlc1MFNXUWlPaUl6YlRWMWJESnlZV3M0Wkc4d2NYQndNMnh2WVRCMk1HZG5ieUlzSW5KbFpHbHlaT93wXlZKSklqb2lhSFIwY0hNNkx5OW5jbUY1Ykc5bkxtNWxkSGR2Y210a1pXWmxibk5sY21GdVoyVXVhVzh2YjJGMWRHZ3lMMmxrY0hKbGMzQnZibk5sSWl3aWNtVnpjRzl1YzJWVWVYQmxJam9pWTI5a1pTSXNJbkJ5YjNacFpHVnlWSGx3WlNJNklrOUpSRU1pTENKelkyOXdaWE1pT2xzaWIzQmxibWxrSWwwc0luTjBZWFJsSWpvaWJYaEtVbGN6ZW1wMmNrSnFWU3MyTVZWR1JGTlZUamx4WXpaTlZVUjRUVmhxUVU5R2NITXdUMVZVYmpWc05WZHNOR3cxWkhKWlFXcFFlbmR2UVZJeFVGWTNXa1JwZHpoM2EyaGhRVWhsUVRkdFNWSlRiRWhYYUdkQldGaGhjREZRWmpaMGJVUndRa0ZPYmxwS1JHTlNaME5IYmpoSWN6SnBObnBGUjNCaVMydzFXR0V4VUdaSlZuQXJOMXhjTDJKcFMxZHFaMEpGT1V0RFkxZDJkVTVMYTJSMlQyUXpUelJaZFdkTVJWUjBSRU0xVm1wdlNuaFFWRFZ0VGpSb2JXeFJaR0pSWkdJcllqVlhNMmh3VEc4aUxDSmpiMlJsUTJoaGJHeGxibWRsSWpwdWRXeHNMQ0pqYjJSbFEyaGhiR3hsYm1kbFRXVjBhRzlrSWpwdWRXeHNMQ0p1YjI1alpTSTZJbGwzT1d4T09WODNNV3RSYkZGUldGVTJRbGxCWlRsQldWUnBTVFJPTXkwdGRVeHFRMFpmWDJwR2RIWm1kVkZ2TjFwUk9HOXNWalJ2WWtKR1dIWnZkRlUxYzFaQlJsOWZTVVZ3YVRSR2MxSk1kRXBTUzNjeE9WVXhYemg2UTNoNmRFcE5kRGRXV25ORU4yNUlhblZDYUhSWlZIbHBSM1pGWkVkbWVYVkdRM1ZJZVRWYWMwaG1Zamh6VmtwemVUTXRNV28yZVZGUWNXVkZja2Q0YjJOdk4wTk5URTVJYjNWQloyOHhjeUlzSW5ObGNuWmxja2h2YzNSUWIzSjBJam9pY21WamIyNHRibVJ5TG1GMWRHZ3VkWE10WldGemRDMHhMbUZ0WVhwdmJtTnZaMjVwZEc4dVkyOXRJaXdpWTNKbFlYUnBiMjVVYVcxbFUyVmpiMjVrY3lJNk1UVTRPRGsxTmprMU1Td2ljMlZ6YzJsdmJpSTZiblZzYkN3aWRYTmxja0YwZEhKcFluVjBaWE1pT201MWJHd3NJbWx6VTNSaGRHVkdiM0pNYVc1cmFXNW5VMlZ6YzJsdmJpSTZabUZzYzJWOTpaTXZrRjljaG1OUlRVM05ZbkM5RVJqdlRmWG4zaWJ5bDA1RGVTUWR4Ym5zPToz

timezone: America/New_York

metaData.device.name: Mac Chrome

metaData.device.type: BROWSER

code_challenge:

code_challenge_method:

user_code:

[robotdan]

Great, that is helpful. It does look like AWSELBAuthSessionCookie-0 and AWSELBAuthSessionCookie-1 are primarily to blame for the size of the request.

I can do some additional research into those cookies to see if there are any recommended settings to account for these cookie lengths.

If it all looks legit, we can increase our default size and / or provide some configuration.

Thanks for the excellent debug! Super helpful.

[shortstack]

hahaha, love the rename

this is the only hiccup we've had (short of getting oauth/sso integrated with thehive, work in progress), and now it is resolved

thank you for taking this into consideration! appreciate it! we are loving this platform so far and plan to use it heavily going forward

[deelalwani]

@robotdan

My organisation just ran into this issue. It's currently affecting a whole environment and the users are unable to log in. Was there any quick fixes here?

[robotdan]

This was fixed in version 1.17.0 which came out in June of 2020. https://fusionauth.io/docs/v1/tech/archive/release-notes#version-1-17-0

You will need to upgrade beyond this version to pick up this fix or manually update Apache Tomcat config to support a larger request header.

[deelalwani]

@robotdan From what we understand, we need to change fusionauth-app.http.max-header-size in /usr/local/fusionauth/config/fusionauth.properties is this something which is accessible via terraform ?