-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSO does not work for users with a lot of groups due to exceeding max browser cookie size limit #10153
Comments
maybe similar to #9530 |
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
Note: #10170 did not fully fix the issue. |
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
I tried splitting the large cookie, but seems very complex sso:
scopes:
- groups
- email
filterSSOGroupsRegex: "argo-wf"
rbac:
enabled: true this way, backend would filter out groups received, and keep the only groups that contain "argo-wf". @sarabala1979 @juliev0 @alexec wdyt ? |
Argo CD seems to have implemented cookie splitting in argoproj/argo-cd#5497 |
I guess we could also implement cookie splitting on top of filtering. |
Yea for any users finding themselves here, if |
Pre-requisites
:latest
What happened/what you expected to happen?
After setting up Argo Workflow with an external SSO we noticed certain users can login with correct groups showing up while others cannot. Argo server logs show "token not valid for running mode".
To debug, we compiled Argo Workflow ourselves and added tons of debug logs.
Eventually we were able to pinpoint everything is normal until the part that sets authorization Cookie in HandleCallback. In non-working case the final Cookie size is 5000+ bytes, which exceeds the 4096 bytes limit. This causes the
authorization
Cookie not to be written at all, which makes subsequent requests do not contain the "authorization" header and leads to "token not valid for running mode" since it's empty.I think we probably need to consider reducing the size of this Cookie or use a different approach?
Thanks.
Version
V3.4.3
Paste a small workflow that reproduces the issue. We must be able to run the workflow; don't enter a workflows that uses private images.
Logs from the workflow controller
Logs from in your workflow's wait container
The text was updated successfully, but these errors were encountered: