Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Infinite authentication loop #33

Closed
hanikesn opened this issue Feb 8, 2017 · 9 comments
Closed

Infinite authentication loop #33

hanikesn opened this issue Feb 8, 2017 · 9 comments

Comments

@hanikesn
Copy link
Contributor

hanikesn commented Feb 8, 2017

With 1.2.3 the encrypted id_token is saved in the session data (#29). This pushes the session cookie size above 4 kb with e.g. Azure Active Directory and thus the cookie will not be stored by most browsers.

Possible workarounds are to use a different session store. Using a gzip based session encoder might also be an option.

@hanikesn
Copy link
Contributor Author

hanikesn commented Feb 8, 2017

Compressing the cookie with gzip brought it down to 3822 bytes. Maybe it makes sense to split it up into multiple cookies.

@zandbelt
Copy link
Contributor

zandbelt commented Feb 8, 2017

That is a fair suggestion: I've done something similar for mod_auth_openidc in the past; https://github.com/pingidentity/mod_auth_openidc/issues/153

@iperdomo
Copy link
Contributor

iperdomo commented Feb 9, 2017

I just got hit by this issue while trying to make a sample using lua-resty-openidc & Keycloak. A full debug log of the infinite redirect can be found at:
https://gist.github.com/iperdomo/3a0a6401000b07cddf9737e4ec8aadd0

I didn't realize that was to the fact that the cookie was too big and browser won't store it.

@zandbelt
Copy link
Contributor

zandbelt commented Feb 9, 2017

Ok, thanks for chiming in; on the short term I'll look to issue a clear warning about size limits, on the mid-term I'll implement chunked cookies. Of course PRs are welcome...

@bungle
Copy link
Contributor

bungle commented Feb 11, 2017

@hanikesn / @iperdomo

I have now implemented chunked cookie support in lua-resty-session that this lua-resty-openidc depends on.

Just grab the latest session.lua from here:
https://github.com/bungle/lua-resty-session/blob/master/lib/resty/session.lua

Also you may need to add something like this to your nginx.conf:

large_client_header_buffers 4 16k;

@iperdomo
Copy link
Contributor

@bungle thanks for your support. I patched my example with the code at rev 67b8354 and I can confirm that the infinite loop is gone. In my case the cookie was chunked in 2 pieces.

2017-02-12-151637_1335x176_scrot

@zandbelt
Copy link
Contributor

zandbelt commented Feb 12, 2017

Same thing for me, a quick test works; I got my - artificially enlarged - session cookie split across 4 Set-Cookie headers and they were all provided and assembled back from a single Cookie header in the subsequent request.

@bungle
Copy link
Contributor

bungle commented Feb 13, 2017

@iperdomo / @zandbelt,

Thank you for further testing this out. I will soon prepare a new release of lua-resty-session that has a support for chunked cookies.

@zandbelt
Copy link
Contributor

@bungle @iperdomo thanks; closing the issue here now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants