Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azuread securecookie: the value is too long #463

Open
C-monC opened this issue Jun 27, 2022 · 3 comments
Open

azuread securecookie: the value is too long #463

C-monC opened this issue Jun 27, 2022 · 3 comments

Comments

@C-monC
Copy link

C-monC commented Jun 27, 2022

Hi,

I cannot get azuread oauth working with goth. Has anyone managed to use azuread/azuread2?
The error:

securecookie: the value is too long

Google sign in works fine.

The issue is with the size of the cookie being set in the browser.

I've tried using a postgresql session store.

	store, err := pgstore.NewPGStore("postgres://postgres:postgres@"+os.Getenv("db_uri")+"/db?sslmode=disable", []byte(os.Getenv("SESSION_SECRET")))
	if err != nil {
		log.Fatalf(err.Error())
	}
	defer store.Close()
	defer store.StopCleanup(store.Cleanup(time.Minute * 5))
	gothic.Store = store // Appears to have no effect

This creates the session table but goth doesn't populate rows even on successful google sign ins.
I do not need the access token from the sign in. Only the verified email address.

Other issues mention removing claims/groups. This is with a new azure project with no modifications.

Thanks,
Simon
@joriszwart
Copy link
Contributor

joriszwart commented Sep 1, 2022
edited
Loading

Wild guess: try setting the store's MaxLength property to something large. It defaults to 4096 bytes (which may not be enough).

store.MaxLength = 10 * 1024

Edit: I think pgstore has it as a method:

store.MaxLength(10 * 1024)

YMMV

@joriszwart joriszwart mentioned this issue Sep 1, 2022
Open
@tmstorm
Copy link

tmstorm commented Dec 28, 2023
edited
Loading

I think I found the source of this issue while looking for a solution to my own problem.

goth/gothic/gothic.go

Line 209 in f347ee3

err = StoreInSession(providerName, sess.Marshal(), req, res)

This line is called every time you call CompleteUserAuth. It tries to place the AccessToken, RefreshToken, and ExpiresAt into the session weather you want it there or not. I commented this line out in the code and I was instantly able to get it working.

Like you I am not using the AccessToken. I am storing what I need in a JWT so storing it in the session is not needed. One fix might be to check the default store and if it doesn't match the used store don't execute this line.

if defaultStore == Store {
	err = StoreInSession(providerName, sess.Marshal(), req, res)
	if err != nil {
		return goth.User{}, err
	}
}

@nervous-inhuman nervous-inhuman mentioned this issue Jan 16, 2024
Closed
@punmechanic
Copy link

punmechanic commented Apr 19, 2024
edited
Loading

This issue shows up when attempting to implement PKCE (punmechanic@4944a61, see #516) for openidconnect. Even a trivial attempt at implementing PKCE (whose recommended challenge size is 32b when generated using oauth2.GenerateVerifier) may result in the session overflowing its bounds when refresh tokens are enabled with a stock Keycloak server.

It may be that my naive attempt at storing the verifier within the session is unwise and it may be better to serialize the verifier in a different session.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@punmechanic @joriszwart @C-monC @tmstorm