feat: Allow POST method to send large login_challenge/consent_challenge to login/consent pages #3777
Open
3 of 5 tasks
Labels
feat
New feature or request.
Preflight checklist
Ory Network Project
No response
Describe your problem
#3639 in the release v2.2.0 introduced a major change in the size of the
login_challenge
consent_challenge
query string parameters. Now the size of those parameters depends on both the size of the authorization request (which can be large if it includes a signedrequest
parameter) and the configuration of the OAuth2 Client (which can be large if multiple redirect_uris or jwk sets are configured for the same client).This can result on HTTP 414 Request-Uri Too Large error on Reverse Proxy/application firewall or even trigger size limit at the browser level.
Describe your ideal solution
Ideally, there would be a configuration setting available that would allow to send the large login and consent challenge via a HTTP POST request, where the large login_challenge or consent_challenge would be part of the request body.
In order to keep the same end user experience, a auto submitted web form can be used, for example:
Workarounds or alternatives
Workarounds exist:
https://github.com/ory/hydra/releases/tag/v2.2.0-rc.2: Because the login and consent challenge values now include the AEAD-encoded flow, their size increased to around 1kB for a flow without any metadata (and increases linearly with the amount of metadata). Please adjust your ingress / gateway accordingly.
Keep your OAuth configuration small
Keep your Authorization request small
Version
v2.2.0
Additional Context
This propose solution is inspired by SAML which supports both Redirect and POST binding for sending Saml request and response.
Typically when you reach the HTTP 414 Request-Uri Too Large error, it is recommended to switch to the Post Binding instead of increasing size limits on Reverse Proxy.
The text was updated successfully, but these errors were encountered: