Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookie named "_fz_http_key" exceeds maximum size of 4096 bytes #2607

Closed
orlovmyk opened this issue Nov 7, 2023 · 5 comments
Closed

Cookie named "_fz_http_key" exceeds maximum size of 4096 bytes #2607

orlovmyk opened this issue Nov 7, 2023 · 5 comments
Labels
needs triage Issues opened by the public or need further labeling

Comments

@orlovmyk
Copy link

orlovmyk commented Nov 7, 2023
edited

Describe the bug
I am trying to setup firezone+casdoor as IdP (OpenID connect)

To Reproduce
Try to setup Firezone with Casdoor

Expected behavior
I can login using OpenID connect

Screenshots / Logs

firezone-firezone-1  | 22:07:43.956 erl_level=info application=phoenix domain=elixir file=lib/phoenix/logger.ex function=phoenix_endpoint_stop/4 line=231 mfa=Phoenix.Logger.phoenix_endpoint_stop/4 module=Phoenix.Logger pid=<0.531.0> request_id=F5V2n-_uljAbcmUAAAAk [info] Sent 302 in 256ms
firezone-firezone-1  | 22:07:43.978 erl_level=info application=phoenix domain=elixir file=lib/phoenix/logger.ex function=phoenix_endpoint_stop/4 line=231 mfa=Phoenix.Logger.phoenix_endpoint_stop/4 module=Phoenix.Logger pid=<0.531.0> request_id=F5V2n-_uljAbcmUAAAAk [info] Sent 500 in 278ms
firezone-firezone-1  | 22:07:43.981 erl_level=error domain=cowboy pid=<0.530.0> [error] #PID<0.531.0> running FzHttpWeb.Endpoint (connection #PID<0.530.0>, stream id 1) terminated
firezone-firezone-1  | Server: vpn.pineapple.pp.ua:80 (http)
firezone-firezone-1  | Request: GET /auth/oidc/casdoor/callback?code=cfae9e2c6cbaf17fd232&state=3W0xmg9VhnY_5etT
firezone-firezone-1  | ** (exit) an exception was raised:
firezone-firezone-1  |     ** (Plug.Conn.CookieOverflowError) cookie named "_fz_http_key" exceeds maximum size of 4096 bytes
firezone-firezone-1  |         (plug 1.14.0) lib/plug/conn.ex:1860: Plug.Conn.verify_cookie!/2
firezone-firezone-1  |         (plug 1.14.0) lib/plug/conn.ex:1853: anonymous fn/2 in Plug.Conn.merge_headers/2
firezone-firezone-1  |         (stdlib 4.2) maps.erl:411: :maps.fold_1/3
firezone-firezone-1  |         (plug 1.14.0) lib/plug/conn.ex:1845: Plug.Conn.run_before_send/2
firezone-firezone-1  |         (plug 1.14.0) lib/plug/conn.ex:448: Plug.Conn.send_resp/1
firezone-firezone-1  |         (fz_http 0.7.22) lib/fz_http_web/controllers/auth_controller.ex:1: FzHttpWeb.AuthController.action/2
firezone-firezone-1  |         (fz_http 0.7.22) lib/fz_http_web/controllers/auth_controller.ex:1: FzHttpWeb.AuthController.phoenix_controller_pipeline/2
firezone-firezone-1  |         (phoenix 1.7.1) lib/phoenix/router.ex:425: Phoenix.Router.__call__/5
firezone-firezone-1  | 22:08:33.360 erl_level=error domain=otp.elixir pid=<0.539.0> [error] Task #PID<0.539.0> started from #PID<0.374.0> terminating
firezone-firezone-1  | ** (Protocol.UndefinedError) protocol Jason.Encoder not implemented for {{:db, :allow_unprivileged_device_management}, true} of type Tuple, Jason.Encoder protocol must always be explicitly implemented. This protocol is implemented for the following type(s): Any, Atom, BitString, Date, DateTime, Decimal, Ecto.Association.NotLoaded, Ecto.Schema.Metadata, Float, Integer, Jason.Fragment, Jason.OrderedObject, List, Map, NaiveDateTime, Postgrex.INET, Time

Platform (please complete the following information):

  • Firezone Version 0.7.35
  • OS: Linux
  • Distro: Ubuntu 20.04.6
  • Kernel version: Linux ns545851 5.4.0-163-generic -Ubuntu SMP Tue Sep 5 13:21:23 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
  • Deployment method: Docker
@orlovmyk orlovmyk added the needs triage Issues opened by the public or need further labeling label Nov 7, 2023
@AndrewDryga
Copy link
Collaborator

This might be a duplicate of #1621. Can you please make sure that you don't write too much metadata to the IdP provider token?

@orlovmyk
Copy link
Author

orlovmyk commented Nov 8, 2023
edited

@AndrewDryga Yes it was it, now I can get back from IdP, I was managed to fix it by changing in Casdoor token type:
JWT -> JWT empty

But now I am getting another error after successful login and getting back to Firezone:
"Error signing in: unknown provider or email not found in params"

image

My OIDC config:

OPENID_CONNECT_PROVIDERS='[{"auto_create_users": true, "id": "casdoor", "label": "SSO", "client_id": "my_client", "client_secret": "my_secret", "discovery_document_uri": "https://sso.pineapple.pp.ua/.well-known/openid-configuration", "redirect_uri": "https://vpn.pineapple.pp.ua/auth/oidc/casdoor/callback", "response_type": "code", "scope": "openid email profile"}]'

@AndrewDryga
Copy link
Collaborator

@orlovmyk please make sure that IdP returns email as part of response claims, otherwise Firezone doesn't know which user is signing in.

@orlovmyk
Copy link
Author

orlovmyk commented Nov 8, 2023
edited

@AndrewDryga agree with you, I've started discuss about that in Casdoor repository
casdoor/casdoor#2483 (reply in thread)

It looks like JWT-empty contains only Owner, Name. But JWT (full) results in error mentioned in the start of this thread Cookie named "_fz_http_key" exceeds maximum size of 4096 bytes. Thanks for you help 🙏

I will close task once I will figure out how to resolve this

@orlovmyk
Copy link
Author

orlovmyk commented Nov 9, 2023

@AndrewDryga issue fixed in casdoor > 1.451.0
Thread: casdoor/casdoor#2483

Closing issue

@orlovmyk orlovmyk closed this as completed Nov 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs triage Issues opened by the public or need further labeling
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AndrewDryga @orlovmyk