goth icon indicating copy to clipboard operation
goth copied to clipboard
verified publisher icon markbates

azuread securecookie: the value is too long

Open C-monC opened this issue 3 years ago • 3 comments

Hi,

I cannot get azuread oauth working with goth. Has anyone managed to use azuread/azuread2? The error:

securecookie: the value is too long

Google sign in works fine.

The issue is with the size of the cookie being set in the browser.

I've tried using a postgresql session store.

	store, err := pgstore.NewPGStore("postgres://postgres:postgres@"+os.Getenv("db_uri")+"/db?sslmode=disable", []byte(os.Getenv("SESSION_SECRET")))
	if err != nil {
		log.Fatalf(err.Error())
	}
	defer store.Close()
	defer store.StopCleanup(store.Cleanup(time.Minute * 5))
	gothic.Store = store // Appears to have no effect

This creates the session table but goth doesn't populate rows even on successful google sign ins. I do not need the access token from the sign in. Only the verified email address.

Other issues mention removing claims/groups. This is with a new azure project with no modifications.

Thanks, Simon

C-monC avatar Jun 27 '22 08:06 C-monC

Wild guess: try setting the store's MaxLength property to something large. It defaults to 4096 bytes (which may not be enough).

store.MaxLength = 10 * 1024

Edit: I think pgstore has it as a method:

store.MaxLength(10 * 1024)

YMMV

joriszwart avatar Sep 01 '22 17:09 joriszwart

I think I found the source of this issue while looking for a solution to my own problem.

https://github.com/markbates/goth/blob/f347ee3e9478c9dee76c03d842220a14715cb3e6/gothic/gothic.go#L209

This line is called every time you call CompleteUserAuth. It tries to place the AccessToken, RefreshToken, and ExpiresAt into the session weather you want it there or not. I commented this line out in the code and I was instantly able to get it working.

Like you I am not using the AccessToken. I am storing what I need in a JWT so storing it in the session is not needed. One fix might be to check the default store and if it doesn't match the used store don't execute this line.

if defaultStore == Store {
	err = StoreInSession(providerName, sess.Marshal(), req, res)
	if err != nil {
		return goth.User{}, err
	}
}

tmstorm avatar Dec 28 '23 04:12 tmstorm

This issue shows up when attempting to implement PKCE (https://github.com/punmechanic/goth/commit/4944a61d216648738baa6e6535805829bd85ae10, see #516) for openidconnect. Even a trivial attempt at implementing PKCE (whose recommended challenge size is 32b when generated using oauth2.GenerateVerifier) may result in the session overflowing its bounds when refresh tokens are enabled with a stock Keycloak server.

It may be that my naive attempt at storing the verifier within the session is unwise and it may be better to serialize the verifier in a different session.

punmechanic avatar Apr 19 '24 02:04 punmechanic