Endless loop after Azure AD login

[tvarlemann]

Hi,

I get and endless loop after login with Azure AD:
demoapp -> singin -> authorize -> signin-oidc -> demoapp -> singin -> authorize -> signin-oidc -> demoapp

if i look at userinfo everything is there. What can cause that ?

[IvanJosipovic]

Once you're redirected back to "signin-oidc", a cookie should be saved in the browser that will allow the session to pass through.

What is your app hostname and oidc-guard hostname?

Lets say its like this:
oidc-guard.domain.com
my-app.domain.com

In this case, you would want the cookieDomain in the helm values to be "domain.com"

[tvarlemann]

thank you this does the trick :-)

[tvarlemann]

okay i was happy to early, i have enabled the groups claim in Azure.

but now i get an 502

and multiple cookies are created:

If i remove the claim it works again.

[IvanJosipovic]

Nginx ingress has a maximum size for the headers which the cookie is a part of, if you look at its logs, you will see that its complaining.

You can fix this by updating nginx ingress helm values with the following:

controller:
  config: 
   large-client-header-buffers: 4 16k

More details, https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#large-client-header-buffers

I added some more docs on these issues, https://github.com/IvanJosipovic/OIDC-Guard/wiki/Troubleshooting

[tvarlemann]

Hey,

thank but i need 17k :-) fun.

Now i got the next problem if i use /userinfo i get http 500 and in the logs is written down :
fail: Microsoft.AspNetCore.Server.Kestrel[13] Connection id "0HMU68CC39MIV", Request id "0HMU68CC39MIV:00000001": An unhandled exception was thrown by the application. System.ArgumentException: An item with the same key has already been added. Key: wids at System.Collections.Generic.Dictionary2.TryInsert(TKey key, TValue value, InsertionBehavior behavior)
at System.Collections.Generic.Dictionary2.Add(TKey key, TValue value) at System.Linq.Enumerable.ToDictionary[TSource,TKey,TElement](IEnumerable1 source, Func2 keySelector, Func2 elementSelector, IEqualityComparer1 comparer) at oidc_guard.Program.<>c.<Main>b__1_11(HttpContext httpContext) in /src/Program.cs:line 238 at Microsoft.AspNetCore.Http.Generated.<GeneratedRouteBuilderExtensions_g>FB49A76E00958A78ED8A3DC031D4149080B37ED6EB129C512F9112A3DB80F087D__GeneratedRouteBuilderExtensionsCore.<>c__DisplayClass3_0.<MapGet1>g__RequestHandler|4(HttpContext httpContext) in /src/Microsoft.AspNetCore.Http.RequestDelegateGenerator/Microsoft.AspNetCore.Http.RequestDelegateGenerator.RequestDelegateGenerator/GeneratedRouteBuilderExtensions.g.cs:line 203 at Microsoft.AspNetCore.Routing.EndpointMiddleware.Invoke(HttpContext httpContext) at Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware.Invoke(HttpContext httpContext) at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.HttpLogging.HttpLoggingMiddleware.InvokeInternal(HttpContext context) at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication1 application)
`

[IvanJosipovic]

The /userinfo bug is fixed in version 2.3.3