Hi, I hit quite common problem related to mod_auth_openidc. The issue is well described in Bad Request due to state cookie are piling up and sending to server on mod_auth_openidc GitHab project.
In general, because of parallel requests there are generated multiple state cookies, which then are sent to auth server, however, in some time their amount will reach server (proxy) limit and only way to recover is delete some on client side.
The case is quite well documented on Openidc project too however it’s quite hard to fix this issue using apache/Grafana configuration.
The javascripts aren’t on simple one place, so couldn’t be simply fixed by OIDCUnAuthAction 401 so the only one thing which left is fix on application side using
provide a X-Requested-With: XMLHttpRequest
header in the Javascript call
as mentioned in OpenIDC module wiki. However I do not know, if it’s even possible as do not understand it correctly. Maybe you will know, or even find way, how I can configure server by way it will work?
Thank you for any hint.
More topics about the issue:
https://groups.google.com/forum/#!topic/mod_auth_openidc/D1dwqNqflVI
https://groups.google.com/d/msg/mod_auth_openidc/D1dwqNqflVI/EPD4g1l6BAAJ
https://groups.google.com/forum/#!topic/mod_auth_openidc/hRQfHTbbtFY
opened 05:10AM - 07 Dec 15 UTC
closed 03:50PM - 30 Jan 16 UTC
I'm using a single OpenIDC server to connect to a load balanced backend nodejs a… pp using ROUTEID for session affinity. This works for some time but then at times (don't know what triggers it) I get tons of cookies like this: mod_auth_openidc_state_1wxkjdkjsfksd. This eventually leads to the user being denied access to the site due to 'Size of request header field exceeds limit'. I have set the limit really high (32KB) but I still get it. Any ideas how I can fix the issue? I'm on Ubuntu 15.10 and apache 2.4 w/ mod_auth_openidc 1.6.0
Here is my config:
```
<VirtualHost *:80>
ServerName foo.bar.com
Redirect permanent / https://foo.bar.com/
</VirtualHost>
<VirtualHost _default_:443>
ServerName foo.bar.com
ServerAdmin ops@bar.co
DocumentRoot /var/www/html
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
SetEnvIf Origin "^(.*\.bar\.co)$" ORIGIN_SUB_DOMAIN=$1
Header set Access-Control-Allow-Origin "%{ORIGIN_SUB_DOMAIN}e" env=ORIGIN_SUB_DOMAIN
Header unset Content-Security-Policy
Header always set Access-Control-Allow-Credentials "true"
RequestHeader set X-Forwarded-Proto "https"
LimitRequestFieldSize 9999999
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/private/bar.crt
SSLCertificateChainFile /etc/apache2/ssl/private/intermediate.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/bar.key
SSLProtocol TLSv1.1 TLSv1.2
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
SSLCompression off
RequestHeader set x-bar-proxy-secret "xxxxxxxxxxxxxxx"
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID xxxxxxxxxxxxxxx.apps.googleusercontent.com
OIDCClientSecret xxxxxxxxxxxxxxx
OIDCScope "openid email profile"
OIDCRedirectURI https://foo.bar.com/oauth2callback
OIDCCryptoPassphrase xxxxxxxxxxxxxxx
OIDCSessionInactivityTimeout 86400
OIDCCookiePath /
OIDCAuthRequestParams hd=bar.co
OIDCRemoteUserClaim email
OIDCAuthNHeader X-Forwarded-User
LogLevel info
<Proxy balancer://http-foo>
BalancerMember http://bar-app-00.c.bar-prod.internal:1080 route=1
BalancerMember http://bar-app-01.c.bar-prod.internal:1080 route=2
BalancerMember http://bar-app-02.c.bar-prod.internal:1080 route=3
BalancerMember http://bar-app-03.c.bar-prod.internal:1080 route=4
ProxySet lbmethod=byrequests
ProxySet stickysession=ROUTEID
</Proxy>
<Proxy balancer://ws-foo>
BalancerMember ws://bar-app-00.c.bar-prod.internal:1080 route=1
BalancerMember ws://bar-app-01.c.bar-prod.internal:1080 route=2
BalancerMember ws://bar-app-02.c.bar-prod.internal:1080 route=3
BalancerMember ws://bar-app-03.c.bar-prod.internal:1080 route=4
ProxySet lbmethod=byrequests
ProxySet stickysession=ROUTEID
</Proxy>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/socket.io [NC]
RewriteCond %{QUERY_STRING} transport=websocket [NC]
RewriteRule /(.*) balancer://ws-foo/$1 [P,L]
ProxyPreserveHost on
ProxyPass / balancer://http-foo/
ProxyPassReverse / balancer://http-foo/
ProxyPass /socket.io/ balancer://ws-foo/socket.io/
ProxyPassReverse /socket.io/ balancer://ws-foo/socket.io/
ProxyRequests Off
AllowEncodedSlashes NoDecode
<Location />
AuthType openid-connect
Require ip xx.xx.xx.xx
Require claim hd:bar.co
Require valid-user
</Location>
</VirtualHost>
```
opened 12:13PM - 21 Jan 16 UTC
closed 08:39AM - 24 Feb 16 UTC
We have a few users who always seem to end up in the state where they have to de… lete all the state cookies that is generated by mod_auth_openidc to get back in.
The web server ends up answering:
"Bad Request
Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.
Cookie"
I think this happens due to a time out of the session, and the state cookies seems to pile up and not getting deleted even tho the cookies have a timeout. At least the problem is related to cookies getting piled up and not deleted when a new state cookie is created.
Our user which is most annoyed by this is using Firefox 42 on Ubuntu 14.04.
Is anyone else experiencing this?
I also think this might be a Firefox bug… ( https://bugzilla.mozilla.org/show_bug.cgi?id=576347 )
https://groups.google.com/forum/#!searchin/mod_auth_openidc/cookies/mod_auth_openidc/qRLKZwddpqo/nmT1ezVzCwAJ
Try OIDCUnAuthAction 401
for /public/*
and /api/*
Facing the same issue. Were you able to solve this?