oauth2 filter: browser blocks BearerToken cookie because its size too large #27875
Description
Title: oauth2 filter: browser blocks BearerToken cookie because its size too large
Description:
I expected the cookie for BearerToken to be set on the response when forward_bearer_token: true. Instead, the browser (Chrome Version 114.0.5735.106) returns an error message on the attempt:
The attempt to set a cookie via a Set-Cookie header was blocked because the cookie was too large. The combined size of the name and value must be less than or equal to 4096 characters.
Then, the behavior is similar to #21819, where the browser enters a 302 redirect loop.
It would be an improvement if the oauth2 filter could do anyone of the following:
- Log a warning if the cookie size is too large
- Allow one to only set the Authorization header and not use cookies
- Set multiple cookies, each less than the max size, for a large BearerToken, e.g. splitting it up into parts that could be reassembled by the consumer
Repro steps:
With auth_scopes set to only openid, the id token is a reasonable size. With cloud providers such as Azure, when adding additional scopes for Microsoft applications, e.g. https://cognitiveservices.azure.com/.default, the access token returned seems to return a list of groups, which for some users can be quite large. Microsoft doesn't seem to allow customization of this token.
Config:
Using envoy:v1.26.1
- name: envoy.filters.http.oauth2
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
config:
token_endpoint:
cluster: <omitted>
uri: https://login.microsoftonline.com/<omitted>/oauth2/v2.0/token
timeout: 10s
authorization_endpoint: https://login.microsoftonline.com/<omitted>/oauth2/v2.0/authorize
redirect_uri: "https://%REQ(:authority)%/callback"
redirect_path_matcher:
path:
prefix: /callback
pass_through_matcher:
name: authorization
present_match: true
signout_path:
path:
exact: /signout
forward_bearer_token: true
credentials:
client_id: "<omitted>"
token_secret:
name: token
sds_config:
resource_api_version: V3
path_config_source:
path: "/etc/envoy/token-secret.yaml"
hmac_secret:
name: hmac
sds_config:
resource_api_version: V3
path_config_source:
path: "/etc/envoy/hmac-secret.yaml"
auth_scopes:
- openid
- <any scope for a Microsoft application>
Logs:
The 302 redirect loop will eventually end with:
[2023-06-08 13:09:06.628][51][debug][oauth2] [source/extensions/filters/http/oauth2/oauth_client.cc:88] Oauth response body: {"error":"invalid_grant","error_description":"AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.\r\nTrace ID: <omitted>r\nCorrelation ID: <omitted>\r\nTimestamp: 2023-06-08 13:09:06Z","error_codes":[54005],"timestamp":"2023-06-08 13:09:06Z","trace_id":"<omitted>","correlation_id":"<omitted>"}