vmware-archive / gangway

An application that can be used to easily enable authentication flows via OIDC for a kubernetes cluster.
Apache License 2.0
409 stars 111 forks source link

A user in a sufficiently large number of groups will get a gangway_id_token too large for Chrome to set #130

Closed nickperry closed 5 years ago

nickperry commented 5 years ago

Chrome has an upper bound on each cookie of 4096 bytes. I understand that some other browsers are limited to 4093 bytes.

A significant proportion of users in our organisation are members of enough LDAP groups to inflate the size of the gangway_id_token cookie in the response headers from /callback to be above this limit.

The result is that the cookie does not get set by their browser and is absent in their subsequent call to /commandline. They cannot therefore use Gangway to log in.

nickperry commented 5 years ago

It seems like the easiest cross-browser fix might be just to span the id_token data over multiple cookies with sequentially numbered suffixes. An additional cookie could be introduced to define the number of additional cookies that have been used and that need processing from a request.

alexbrand commented 5 years ago

Hey @nickperry! We have an open PR that addresses this: https://github.com/heptiolabs/gangway/pull/117

We haven't had a chance to look at it. It would be great if you could provide a testing data point, although the PR is most likely out of date with master.

nickperry commented 5 years ago

Thanks @alexbrand. I managed to overlook that PR. I will try it tomorrow and feed back. Many thanks.

croissong commented 5 years ago

Rebased it onto master :) Yes, please test it out. We've been running it successfully on our clusters.

alexbrand commented 5 years ago

Awesome @Croissong! Would be great to get this in. Thanks!

nickperry commented 5 years ago

@Croissong @alexbrand PR #117 works like a charm. I made some artificially large credentials, they spanned correctly:

image

and were able to log in.

Many thanks.

nocquidant commented 5 years ago

I can confirm it works great for me too. Thanks @Croissong

nickperry commented 5 years ago

Further to my artificially modified account testing last night, today we've had multiple real users who could not log in previously, report that they can now log in fine with @Croissong's patch.

HerrmannHinz commented 5 years ago

is this ticket closed? i see something is merged.

jenting commented 5 years ago

is this ticket closed? i see something is merged.

yes, and included in release v3.2.0

alexbrand commented 5 years ago

Yep! Closing as this was fixed by #117

HerrmannHinz commented 5 years ago

Nice thanks

--

Tobias Herrmann Hinz mobil: 0162 212 9613