-
Notifications
You must be signed in to change notification settings - Fork 1
Console nginx uses default client-header buffers — large OIDC tokens cause HTTP 400 #41
Copy link
Copy link
Open
Labels
area/authIssues or PRs related to authentication, oauth2-proxy integration, userinfoIssues or PRs related to authentication, oauth2-proxy integration, userinfoarea/containerIssues or PRs related to the container image build, Containerfile, nginx configurationIssues or PRs related to the container image build, Containerfile, nginx configurationkind/bugCategorizes issue or PR as related to a bugCategorizes issue or PR as related to a bugpriority/important-soonMust be staffed and worked on either currently, or very soon, ideally in time for the next releaseMust be staffed and worked on either currently, or very soon, ideally in time for the next releasetriage/acceptedIndicates an issue is ready to be actively worked onIndicates an issue is ready to be actively worked on
Description
Metadata
Metadata
Assignees
Labels
area/authIssues or PRs related to authentication, oauth2-proxy integration, userinfoIssues or PRs related to authentication, oauth2-proxy integration, userinfoarea/containerIssues or PRs related to the container image build, Containerfile, nginx configurationIssues or PRs related to the container image build, Containerfile, nginx configurationkind/bugCategorizes issue or PR as related to a bugCategorizes issue or PR as related to a bugpriority/important-soonMust be staffed and worked on either currently, or very soon, ideally in time for the next releaseMust be staffed and worked on either currently, or very soon, ideally in time for the next releasetriage/acceptedIndicates an issue is ready to be actively worked onIndicates an issue is ready to be actively worked on
Type
Fields
Give feedbackNo fields configured for issues without a type.
Describe the bug
The console image serves the SPA and reverse-proxies the Kubernetes API through an nginx config baked into the
Containerfile(the inline heredoc written to/etc/nginx/conf.d/default.conf). That config sets neitherclient_header_buffer_sizenorlarge_client_header_buffers, so both stay at the nginx defaults (1kand4 8k).When OIDC is enabled and the IdP issues a large access token — e.g. a user carrying many group claims from an external IdP — the bearer token /
kc-accesscookie pushes the request headers past those defaults, and nginx returns400 Bad Request: request header or cookie too largebefore the request reaches the/apis,/api, or/k8s/upstream.Where
Containerfile, theserver { ... }block in the/etc/nginx/conf.d/default.confheredoc. All three proxy locations (/apis,/api,/k8s/) forward the oversized client request headers upstream, so the request is rejected at this nginx layer.Suggested fix
Raise the header buffers in that nginx config (server or top-level http context):
Context
This is the console-image half of cozystack/cozystack#2853. The platform ingress-nginx controller is the other layer carrying the same oversized headers and is tracked there. Both layers need larger buffers for the fix to be complete.
Observed on Cozystack 1.3.5 / 1.4.2; confirmed the buffer directives are still absent on the current default branch.