console icon indicating copy to clipboard operation
console copied to clipboard

Published 20 hours ago verified publisher icon minio

OIDC usernames ( email) are limited to 32 characters length

Open DirkTheDaring opened this issue 2 years ago • 1 comments

NOTE

If this case is urgent, please subscribe to Subnet so that our 24/7 support team may help you faster.

We recently switched to OIDC via DEX (which is used for a lot of tools in our environment, working fine). We generally took the approach to have a login "email" and a password. We recently discovered that there there seems to be username length limit in Minio. When a user tries to login with email address longer than 32 characters, Minio refuses to let the user in. Any user which have email addresses <32 Characters are working.

Expected Behavior

Username up to 128 Characters should be able to login as in all other tools which use DEX for oidc.

Current Behavior

Email adresses < 32 character length work for login
Email with > 32 characters are denied login

Possible Solution

Find hidden 32 character limit

Steps to Reproduce (for bugs)

1 . Setup DEX as oidc provider 2. Use Email as login for DEX (configured in DEX) 3. Try login with an email adresss which is longer than 32 characters --> BUG 4.

Context

Heavily, as some of my more important users are not able to use minio.

Regression

Not known

Your Environment

  • Version used (minio --version): minio version DEVELOPMENT.2022-04-30T22-23-53Z

  • Server setup and configuration: Kubernetes 1.23 DEX which is rolled out by argo-cd helm chart: argo-cd-4.5.8 v2.3.3

  • Operating System and version (uname -a): Linux minio-6cfd4997df-tf4n8 5.16.18-200.fc35.x86_64 minio/minio#1 SMP PREEMPT Mon Mar 28 14:10:07 UTC 2022 x86_64 GNU/Linux

  • OIDC Variables (domain names changed for security, also credentials)

  • name: MINIO_IDENTITY_OPENID_CONFIG_URL value: "https://argocd.example.com/api/dex/.well-known/openid-configuration"
  • name: MINIO_IDENTITY_OPENID_CLIENT_ID value: "argocd-repo-creds-minio-prod-sso"
  • name: MINIO_IDENTITY_OPENID_CLIENT_SECRET value: "xxxxxxxxxx"
  • name: MINIO_IDENTITY_OPENID_CLAIM_NAME value: "email"
  • name: MINIO_IDENTITY_OPENID_SCOPES value: "openid,email,groups,profile,offline_access"
  • name: MINIO_IDENTITY_OPENID_REDIRECT_URI value: "https://minio.example.com/oauth_callback"

DirkTheDaring avatar May 03 '22 08:05 DirkTheDaring

After further research I saw that the response to the api/v1/login/oauth2/auth POST contains a malformed response cookie. The error the browser reports is that the cookie generated by the minio "cookie is too large. The combined size of name and value has to be less or equal to 4096 characters." Question is now why the cookie gets so big? Potential reason is, that my user belongs to a lot of groups.

PGaus avatar May 04 '22 09:05 PGaus

After further research I saw that the response to the api/v1/login/oauth2/auth POST contains a malformed response cookie. The error the browser reports is that the cookie generated by the minio "cookie is too large. The combined size of name and value has to be less or equal to 4096 characters." Question is now why the cookie gets so big? Potential reason is, that my user belongs to a lot of groups.

I can verify that this is the case indeed, the 4096 character limit for the cookie seems to be a browser limitation. However, I was able to log in with a user that had a username larger than 32 characters, who wasn't part of many groups.

We are taking a look at if it's possible to reduce the size of this cookie, we will keep you updated. 👍

kaankabalak avatar Oct 06 '22 10:10 kaankabalak

Closing this in favor of #1838

kaankabalak avatar Dec 12 '22 18:12 kaankabalak