SSO does not work for users with a lot of groups due to exceeding max browser cookie size limit #10153

kolorful · 2022-12-01T21:53:07Z

Pre-requisites

I have double-checked my configuration
I can confirm the issues exists when I tested with :latest
I'd like to contribute the fix myself (see contributing guide)

What happened/what you expected to happen?

After setting up Argo Workflow with an external SSO we noticed certain users can login with correct groups showing up while others cannot. Argo server logs show "token not valid for running mode".

To debug, we compiled Argo Workflow ourselves and added tons of debug logs.

Eventually we were able to pinpoint everything is normal until the part that sets authorization Cookie in HandleCallback. In non-working case the final Cookie size is 5000+ bytes, which exceeds the 4096 bytes limit. This causes the authorization Cookie not to be written at all, which makes subsequent requests do not contain the "authorization" header and leads to "token not valid for running mode" since it's empty.

I think we probably need to consider reducing the size of this Cookie or use a different approach?

Thanks.

Version

V3.4.3

Paste a small workflow that reproduces the issue. We must be able to run the workflow; don't enter a workflows that uses private images.

N/A, just set up an fresh Argo Workflow with SSO then login with a user that has a ton of groups so cookie will exceed 4096 bytes

Logs from the workflow controller

N/A

Logs from in your workflow's wait container

N/A

The text was updated successfully, but these errors were encountered:

tooptoop4 · 2022-12-02T18:55:36Z

maybe similar to #9530

… size. Fixes #9530, #10153 (#10170) Signed-off-by: Kewei Ma <kewei@indeed.com> Signed-off-by: Alex Collins <alex_collins@intuit.com> Co-authored-by: Alex Collins <alexec@users.noreply.github.com> Co-authored-by: Alex Collins <alex_collins@intuit.com>

kolorful · 2023-02-13T17:12:30Z

Note: #10170 did not fully fix the issue.

… size. Fixes #9530, #10153 (#10170) Signed-off-by: Kewei Ma <kewei@indeed.com> Signed-off-by: Alex Collins <alex_collins@intuit.com> Co-authored-by: Alex Collins <alexec@users.noreply.github.com> Co-authored-by: Alex Collins <alex_collins@intuit.com>

basanthjenuhb · 2023-09-08T03:07:28Z

I tried splitting the large cookie, but seems very complex
One simple solution can be, filter groups received after Oauth

sso:
  scopes:
   - groups
   - email
filterSSOGroupsRegex: "argo-wf"
rbac:
  enabled: true

this way, backend would filter out groups received, and keep the only groups that contain "argo-wf".
Since the number of groups that remain would be very small, users can use this to limit the number of groups

@sarabala1979 @juliev0 @alexec wdyt ?

agilgur5 · 2023-09-09T21:30:03Z

I tried splitting the large cookie, but seems very complex

Argo CD seems to have implemented cookie splitting in argoproj/argo-cd#5497

basanthjenuhb · 2023-09-10T04:03:33Z

I tried splitting the large cookie, but seems very complex

Argo CD seems to have implemented cookie splitting in argoproj/argo-cd#5497

I guess we could also implement cookie splitting on top of filtering.

agilgur5 · 2023-09-10T06:21:55Z

I guess we could also implement cookie splitting on top of filtering.

Yea for any users finding themselves here, if groups filtering does not suffice for your needs, please open a new enhancement request for cookie splitting.

kolorful added the type/bug label Dec 1, 2022

kolorful changed the title ~~SSO does not work for users with a lot of groups due to max browser cookie size~~ SSO does not work for users with a lot of groups due to exceeding max browser cookie size limit Dec 1, 2022

This was referenced Dec 2, 2022

Support Large Bearer token for SSO authentication #9530

Closed

fix: stop writing RawClaim into authorization cookie to reduce cookie size. Fixes #9530, #10153 #10170

Merged

sarabala1979 added P3 Low priority P2 Important. All bugs with >=3 thumbs up that aren’t P0 or P1, plus: Any other bugs deemed important and removed P3 Low priority labels Dec 8, 2022