Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Allow POST method to send large login_challenge/consent_challenge to login/consent pages #3777

Open
3 of 5 tasks
vdbulcke opened this issue Jun 10, 2024 · 0 comments
Open
3 of 5 tasks

feat: Allow POST method to send large login_challenge/consent_challenge to login/consent pages #3777

vdbulcke opened this issue Jun 10, 2024 · 0 comments
Labels
feat New feature or request.

Comments

@vdbulcke
Copy link

Preflight checklist

Ory Network Project

No response

Describe your problem

#3639 in the release v2.2.0 introduced a major change in the size of the login_challenge consent_challenge query string parameters. Now the size of those parameters depends on both the size of the authorization request (which can be large if it includes a signed request parameter) and the configuration of the OAuth2 Client (which can be large if multiple redirect_uris or jwk sets are configured for the same client).

This can result on HTTP 414 Request-Uri Too Large error on Reverse Proxy/application firewall or even trigger size limit at the browser level.

Describe your ideal solution

Ideally, there would be a configuration setting available that would allow to send the large login and consent challenge via a HTTP POST request, where the large login_challenge or consent_challenge would be part of the request body.

POST /login HTTP/1.1
Host: https://login.page.domain.example.com
Content-Type: application/x-www-form-urlencoded

login_challenge=ljdkejkfjeflkejkfepakdlakamlkdaml...


POST /consent HTTP/1.1
Host: https://consent.page.domain.example.com
Content-Type: application/x-www-form-urlencoded

consent_challenge=ljdkejkfjeflkejkfepakdlakamlkdaml...

In order to keep the same end user experience, a auto submitted web form can be used, for example:

<html>
<head>
    <title>Login Challenge</title>
</head>
<body onload="document.forms[0].submit()">
<form method="post" action="https://login.page.domain.example.com">
    <input type="hidden" name="login_challenge" value="[large login challenge value]" />
      <noscript>
        <input type="submit" value="Submit login challenge" />
    </noscript>
</form>
</body>
</html>

Workarounds or alternatives

Workarounds exist:

  • https://github.com/ory/hydra/releases/tag/v2.2.0-rc.2: Because the login and consent challenge values now include the AEAD-encoded flow, their size increased to around 1kB for a flow without any metadata (and increases linearly with the amount of metadata). Please adjust your ingress / gateway accordingly.

  • Keep your OAuth configuration small

  • Keep your Authorization request small

Version

v2.2.0

Additional Context

This propose solution is inspired by SAML which supports both Redirect and POST binding for sending Saml request and response.

Typically when you reach the HTTP 414 Request-Uri Too Large error, it is recommended to switch to the Post Binding instead of increasing size limits on Reverse Proxy.
@vdbulcke vdbulcke added the feat New feature or request. label Jun 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feat New feature or request.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vdbulcke