Long redirect URLs cause tsh login to fail #7467
Labels
bug
c-sq
Internal Customer Reference
feature-request
Used for new features in Teleport, improvements to current should be #enhancements
Problem
Use reported seeing the following errors when attempting to use
tsh login
with their SSO provider. Web UI login works fine.This error was coming from their identity provider because the code token has already been consumed.
Upon investigation, it was discovered that the entire SSO login flow is successful until the 302 console redirect to transfer credentials from the browser to disk. This was due to the user running a middleware component that intercepts all requests and drop requests with headers larger than 8 kb and Teleport was sending a
Location
header that was 16 kb.The middleware would accept the request, drop it, then the 302 console redirect would be tried again and this time fail at the IdP (hence the error above) but succeed because the header was now smaller than 8 kb.
User reports that this is not the middleware they are running, but other popular Cloud services, like AWS ALB, also enforce 8 kb limits on headers.
Proposed Solution
This process starts with the IdP issuing a
POST /webapi/saml/acs
request which eventually becomes the 302 console redirect. Instead of performing a 302 console redirect, Teleport could return a small Javascript application that useswindow.location
to perform the redirect. We use a similar approach in Application Access.https://github.com/gravitational/teleport/blob/master/lib/web/app/redirect.go
This would solve the problem because this request would not be caught by any middleware and instead happen local to the users workstation only.
The text was updated successfully, but these errors were encountered: