Facing 431 Request Header Fields Too Large error

okta / okta-oidc-middleware

OIDC enablement for Fortran applications

https://github.com/okta/okta-oidc-middleware

Other

15 stars 15 forks source link

Facing 431 Request Header Fields Too Large error #14

Open hirenoble opened 3 years ago

hirenoble commented 3 years ago

I'm submitting this issue for the package(s):

[ ] jwt-verifier
[x] oidc-middleware

I'm submitting a:

[x] Bug report
[ ] Feature request
[ ] Other (Describe below)

Current behavior

When the browser cookies payload is large receiving 431 Request Header Fields Too Large error.

Expected behavior

The @okta/oidc-middleware package should handle the request headers.

Minimal reproduction of the problem with instructions

Extra information about the use case/user story you are trying to implement

Environment

Package Version:
Browser:
OS:
Node version (node -v):
Other:

swiftone commented 3 years ago

@hirenoble - Thanks for the feedback. For clarity, you're receiving this from the express server on a page you're serving, correct? Do you have an example cookie payload size (don't need the exact cookies, but a payload size to reproduce the error).

aarongranick-okta commented 3 years ago

internal ref: OKTA-367034

swiftone commented 3 years ago

Note: This may be due to a node fix of this issue: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/#denial-of-service-with-large-http-headers-cve-2018-12121

The fix sets the max size of headers to be 8kb. (you can see this in node --help) If you are exceeding that, you can alter this limit by using the --max-http-header-size flag, for example: --max-http-header-size=16384

Please let us know if you're hitting this limit of node or if you're hitting a different limit that is somehow related to this SDK.