You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If this case is urgent, please subscribe to Subnet so that our 24/7 support team may help you faster.
We recently switched to OIDC via DEX (which is used for a lot of tools in our environment, working fine). We generally took the approach to have a login "email" and a password. We recently discovered that there there seems to be username length limit in Minio. When a user tries to login with email address longer than 32 characters, Minio refuses to let the user in. Any user which have email addresses <32 Characters are working.
Expected Behavior
Username up to 128 Characters should be able to login as in all other tools which use DEX for oidc.
Current Behavior
Email adresses < 32 character length work for login
Email with > 32 characters are denied login
Possible Solution
Find hidden 32 character limit
Steps to Reproduce (for bugs)
1 . Setup DEX as oidc provider
2. Use Email as login for DEX (configured in DEX)
3. Try login with an email adresss which is longer than 32 characters --> BUG
4.
Context
Heavily, as some of my more important users are not able to use minio.
Regression
Not known
Your Environment
Version used (minio --version):
minio version DEVELOPMENT.2022-04-30T22-23-53Z
Server setup and configuration:
Kubernetes 1.23
DEX which is rolled out by argo-cd helm chart: argo-cd-4.5.8 v2.3.3
Operating System and version (uname -a):
Linux minio-6cfd4997df-tf4n8 5.16.18-200.fc35.x86_64 Full restructure in accordance with minio#1 SMP PREEMPT Mon Mar 28 14:10:07 UTC 2022 x86_64 GNU/Linux
OIDC Variables (domain names changed for security, also credentials)
After further research I saw that the response to the api/v1/login/oauth2/authPOST contains a malformed response cookie. The error the browser reports is that the cookie generated by the minio "cookie is too large. The combined size of name and value has to be less or equal to 4096 characters."
Question is now why the cookie gets so big? Potential reason is, that my user belongs to a lot of groups.
After further research I saw that the response to the api/v1/login/oauth2/authPOST contains a malformed response cookie. The error the browser reports is that the cookie generated by the minio "cookie is too large. The combined size of name and value has to be less or equal to 4096 characters." Question is now why the cookie gets so big? Potential reason is, that my user belongs to a lot of groups.
I can verify that this is the case indeed, the 4096 character limit for the cookie seems to be a browser limitation. However, I was able to log in with a user that had a username larger than 32 characters, who wasn't part of many groups.
We are taking a look at if it's possible to reduce the size of this cookie, we will keep you updated. 👍
NOTE
If this case is urgent, please subscribe to Subnet so that our 24/7 support team may help you faster.
We recently switched to OIDC via DEX (which is used for a lot of tools in our environment, working fine). We generally took the approach to have a login "email" and a password. We recently discovered that there there seems to be username length limit in Minio. When a user tries to login with email address longer than 32 characters, Minio refuses to let the user in. Any user which have email addresses <32 Characters are working.
Expected Behavior
Username up to 128 Characters should be able to login as in all other tools which use DEX for oidc.
Current Behavior
Email adresses < 32 character length work for login
Email with > 32 characters are denied login
Possible Solution
Find hidden 32 character limit
Steps to Reproduce (for bugs)
1 . Setup DEX as oidc provider
2. Use Email as login for DEX (configured in DEX)
3. Try login with an email adresss which is longer than 32 characters --> BUG
4.
Context
Heavily, as some of my more important users are not able to use minio.
Regression
Not known
Your Environment
Version used (
minio --version
):minio version DEVELOPMENT.2022-04-30T22-23-53Z
Server setup and configuration:
Kubernetes 1.23
DEX which is rolled out by argo-cd helm chart: argo-cd-4.5.8 v2.3.3
Operating System and version (
uname -a
):Linux minio-6cfd4997df-tf4n8 5.16.18-200.fc35.x86_64 Full restructure in accordance with minio#1 SMP PREEMPT Mon Mar 28 14:10:07 UTC 2022 x86_64 GNU/Linux
OIDC Variables (domain names changed for security, also credentials)
value: "https://argocd.example.com/api/dex/.well-known/openid-configuration"
value: "argocd-repo-creds-minio-prod-sso"
value: "xxxxxxxxxx"
value: "email"
value: "openid,email,groups,profile,offline_access"
value: "https://minio.example.com/oauth_callback"
The text was updated successfully, but these errors were encountered: