feat: Allow POST method to send large login_challenge/consent_challenge to login/consent pages

[vdbulcke]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [ ] I have joined the Ory Community Slack.
• [ ] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

https://github.com/ory/hydra/pull/3639 in the release v2.2.0 introduced a major change in the size of the login_challenge consent_challenge query string parameters. Now the size of those parameters depends on both the size of the authorization request (which can be large if it includes a signed request parameter) and the configuration of the OAuth2 Client (which can be large if multiple redirect_uris or jwk sets are configured for the same client).

This can result on HTTP 414 Request-Uri Too Large error on Reverse Proxy/application firewall or even trigger size limit at the browser level.

Describe your ideal solution

Ideally, there would be a configuration setting available that would allow to send the large login and consent challenge via a HTTP POST request, where the large login_challenge or consent_challenge would be part of the request body.

POST /login HTTP/1.1
Host: https://login.page.domain.example.com
Content-Type: application/x-www-form-urlencoded

login_challenge=ljdkejkfjeflkejkfepakdlakamlkdaml...

POST /consent HTTP/1.1
Host: https://consent.page.domain.example.com
Content-Type: application/x-www-form-urlencoded

consent_challenge=ljdkejkfjeflkejkfepakdlakamlkdaml...

In order to keep the same end user experience, a auto submitted web form can be used, for example:

<html>
<head>
    <title>Login Challenge</title>
</head>
<body onload="document.forms[0].submit()">
<form method="post" action="https://login.page.domain.example.com">
    <input type="hidden" name="login_challenge" value="[large login challenge value]" />
      <noscript>
        <input type="submit" value="Submit login challenge" />
    </noscript>
</form>
</body>
</html>

Workarounds or alternatives

Workarounds exist:

• https://github.com/ory/hydra/releases/tag/v2.2.0-rc.2: Because the login and consent challenge values now include the AEAD-encoded flow, their size increased to around 1kB for a flow without any metadata (and increases linearly with the amount of metadata). Please adjust your ingress / gateway accordingly.

• Keep your OAuth configuration small

• Keep your Authorization request small

Version

v2.2.0

Additional Context

This propose solution is inspired by SAML which supports both Redirect and POST binding for sending Saml request and response.

Typically when you reach the HTTP 414 Request-Uri Too Large error, it is recommended to switch to the Post Binding instead of increasing size limits on Reverse Proxy.

[aeneasr]

I fear that the hidden post submit will cause issues with Safari's intelligent tracking protection as well as other anti-3p cookies measures, as the ui and hydra typically run on separate domains.

[vdbulcke]

First of all thank you for your answer, and the great work on hydra. Since I saw there was an ongoing discussion in another issue I replied over there https://github.com/ory/hydra/issues/3955#issuecomment-2707025084.