Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deal with 4KB cookie limit for JWT #1103

Closed
jessesuen opened this issue Feb 11, 2019 · 8 comments
Closed

Deal with 4KB cookie limit for JWT #1103

jessesuen opened this issue Feb 11, 2019 · 8 comments
Assignees
@alexec
Labels
enhancement New feature or request security Security related
Milestone
v0.12

Comments

@jessesuen
Copy link
Member

It's possible for Argo CD's JWT auth token to be larger than 4KB, which is the maximum size of a HTTP cookie. This limitation was hit after configuring Dex's GitHub loadAllGroups flag to return the entire list of group claims for a user.

This issue is to find alternative means of dealing with the 4KB limit. Some options:

  1. compress the JWT
  2. use a traditional session ID and store actual JWT in redis
  3. session storage

Note we should not use local storage. For reasons, see: https://dev.to/rdegges/please-stop-using-local-storage-1i04
@jessesuen
Copy link
Member Author

Seems like this may provide the best experience (session tokens carried to other tabs) without compromising security:
https://blog.guya.net/2015/06/12/sharing-sessionstorage-between-tabs-for-secure-multi-tab-authentication/

@alexmt LMK your thoughts

@jessesuen jessesuen added this to the v0.12 milestone Feb 12, 2019
@jessesuen
Copy link
Member Author

Current JWT handling described here: https://github.com/argoproj/argo-cd/blob/master/docs/security.md

@alexec
Copy link
Contributor

alexec commented Feb 19, 2019

view-source:https://blog.guya.net/security/browser_session/memoryStorage.html

@alexec
Copy link
Contributor

alexec commented Feb 19, 2019

My investigation revealed that any option that works-around cookies would not work for EventSource. This is because EventSource does not allow you to modify headers. We need to do this to inject our large cookie.

Instead, we'll modify the application to display a clear error on large cookie.

alexec added a commit to alexec/argo-cd that referenced this issue Feb 19, 2019
@alexec
Display a warning if the JWT cookie is too large. Fixes argoproj#1103
2a4eddc
@alexec alexec closed this as completed in c630e19 Feb 21, 2019
@larslevie larslevie mentioned this issue May 23, 2019
Closed
@jaxxstorm jaxxstorm mentioned this issue Aug 16, 2019
Closed
@alexec
Copy link
Contributor

alexec commented Aug 23, 2019

Update - theres https://github.com/Yaffle/EventSource that will work I think.

@alexec alexec mentioned this issue Aug 23, 2019
Merged
@alexec alexec added the security Security related label Aug 23, 2019
@alexec alexec added the enhancement New feature or request label Nov 13, 2019
@reggie-k reggie-k mentioned this issue Dec 25, 2019
Closed
@mauro-dellachiesa
Copy link

Is there a plan to fix this in any future release?
Thanks!

@professor-layton
Copy link

Hi, I also encounter the issue because of large claims acquired.
Appreciate to hear about a plan to fix it in future.
Thanks

@professor-layton
Copy link

Hi, I also encounter the issue because of large claims acquired.
Appreciate to hear about a plan to fix it in future.
Thanks

I found a way for filter the 'goups' to decrease the size of cookies:
image

in dex source code, there're all already some logic for groups filtering.
So I just add a list for 'groups' I prefer in the dex config, and then it works

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexec alexec

Labels
enhancement New feature or request security Security related
Projects
None yet
Milestone
v0.12
Development

No branches or pull requests
4 participants
@alexec @jessesuen @mauro-dellachiesa @professor-layton