microsoftonline: gzip of cookie no longer enough

markbates / goth

Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applications.

https://blog.gobuffalo.io/goth-needs-a-new-maintainer-626cd47ca37b

MIT License

5.48k stars 590 forks source link

microsoftonline: gzip of cookie no longer enough #448

Open mediumdaver opened 2 years ago

mediumdaver commented 2 years ago

I am getting the infamous "securecookie: the value is too long" error when using Microsoft online provider. It seems that the returned data, even after gzip compression, is coming in at around 3,974 bytes and failing to be set.

We need a new mechanism, perhaps using web storage or splitting the cookie into parts?

dobin commented 2 years ago

I have the same issue when using azureadv2 authentication provider.

Edit: I also dont use the goth cookies. I disabled it like this, but maybe there's a better solution:

    store := sessions.NewFilesystemStore("", []byte("fsstore"))
    gothic.Store = store

joriszwart commented 2 years ago

@dobin: see my comment in https://github.com/markbates/goth/issues/463#issuecomment-1234547285 for a possible solution increasing the maximum size.