Using flask-oidc in a web application against our enterprise ID server. Our id token includes group information that can be quite extensive in the case the user belongs to 100s of groups or more.
In one particular case, we're generating a cookie of size 4119 bytes.. and it appears chrome is ignoring this cookie, and therefore we get thrown into a 302 re-direct loop as the client repeatedly tries to access /, gets redirected to the oidc callback which creates a cookie chrome is going to ignore, and the browser tries / again...
I believe the assumption that the cookie (serialized JWT oidc_id_token) will be < 4k is flawed, and if so, not sure there is a clean work around. In our case, I was able to subclass the JWT serializer, and remove all the group membership info before serialization. This works, but binds us to knowing the internals of this package as well as what is being returned by our auth server.
additional info... chrome fails, firefox/ie work w/ the 4119 byte cookie above. other users have more group information associated with them, but haven't been through the web app yet.
Possibly related to #42
Using flask-oidc in a web application against our enterprise ID server. Our id token includes group information that can be quite extensive in the case the user belongs to 100s of groups or more.
In one particular case, we're generating a cookie of size 4119 bytes.. and it appears chrome is ignoring this cookie, and therefore we get thrown into a 302 re-direct loop as the client repeatedly tries to access /, gets redirected to the oidc callback which creates a cookie chrome is going to ignore, and the browser tries / again...
I believe the assumption that the cookie (serialized JWT oidc_id_token) will be < 4k is flawed, and if so, not sure there is a clean work around. In our case, I was able to subclass the JWT serializer, and remove all the group membership info before serialization. This works, but binds us to knowing the internals of this package as well as what is being returned by our auth server.
additional info... chrome fails, firefox/ie work w/ the 4119 byte cookie above. other users have more group information associated with them, but haven't been through the web app yet.