Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookie token too big when using IDP #1838

Open
rikatz opened this issue Apr 13, 2022 · 5 comments
Open

Cookie token too big when using IDP #1838

rikatz opened this issue Apr 13, 2022 · 5 comments
Assignees
@dvaldivia
Labels
bug this needs to be fixed

Comments

@rikatz
Copy link
Contributor

rikatz commented Apr 13, 2022

When using IDP, the provider may return a big JWT token.

This JWT is part of the SessionToken and may be used later.

Apparently, in Minio Console, all the credentials are marshalled and then encrypted and finally turned into a base64:

console/pkg/auth/token.go

Lines 127 to 137 in 5e10719

func encryptClaims(credentials *TokenClaims) (string, error) {
payload, err := json.Marshal(credentials)
if err != nil {
return "", err
}
ciphertext, err := encrypt(payload, []byte{})
if err != nil {
return "", err
}
return base64.StdEncoding.EncodeToString(ciphertext), nil
}

This may end up with a Cookie bigger than 4096 bytes, and then not being persisted by the browser and used later.

A possible solution (if accepted) would be to use some compression before encryption, in a way that the raw text/string can be reduced, and then encrypted (in a cost of probably a bit more CPU).

The opposite should happen as well. So one suggestion:

// encryptClaims() receives the STS claims, concatenate them and encrypt them using AES-GCM
// returns a base64 encoded ciphertext
func encryptClaims(credentials *TokenClaims) (string, error) {
	payload, err := json.Marshal(credentials)
	if err != nil {
		return "", err
	}
	var b bytes.Buffer
	payloadgz := gzip.NewWriter(&b)
	if _, err := payloadgz.Write(payload); err != nil {
		return "", err
	}
	if err := payloadgz.Close(); err != nil {
		log.Fatal(err)
	}

	ciphertext, err := encrypt(b.Bytes(), []byte{})
	if err != nil {
		return "", err
	}
	return base64.StdEncoding.EncodeToString(ciphertext), nil
}

Testing locally, and using default gzip compression, a 4500 bytes cookie could be properly reduced to 2589 bytes, and then the authentication moving forward without any problem.

If this is accepted by the community, I can raise a PR changing encrypt/decrypt Claims to compress before encrypt.
@dvaldivia
Copy link
Collaborator

We can alternatively chunk the cookie, like we did for the hop usecase @Alevsk

@dvaldivia
Copy link
Collaborator

Cookie Chunks 🍪🍪🍪🍪

@dvaldivia dvaldivia added the bug this needs to be fixed label Apr 14, 2022
@harshavardhana
Copy link
Member

is this finished @dvaldivia ?

@kaankabalak kaankabalak mentioned this issue Dec 12, 2022
Closed
@Sammyant
Copy link

Sammyant commented Aug 29, 2023
edited
Loading

Hi everyone
It there any fix/plans? we are still experiencing this problem with big jwt token from IDP
We get "malformed response cookie" from 'auth' endpoint

@bayasdev
Copy link
Contributor

This is not a priority for us at the moment. If you have too many roles/claims in your IDP the token may become too big, feel free to open a PR to fix it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dvaldivia dvaldivia

Labels
bug this needs to be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@harshavardhana @Alevsk @rikatz @dvaldivia @bayasdev @Sammyant