OIDC usernames ( email) are limited to 32 characters length

[DirkTheDaring]

NOTE

If this case is urgent, please subscribe to Subnet so that our 24/7 support team may help you faster.

We recently switched to OIDC via DEX (which is used for a lot of tools in our environment, working fine). We generally took the approach to have a login "email" and a password. We recently discovered that there there seems to be username length limit in Minio. When a user tries to login with email address longer than 32 characters, Minio refuses to let the user in. Any user which have email addresses <32 Characters are working.

Expected Behavior

Username up to 128 Characters should be able to login as in all other tools which use DEX for oidc.

Current Behavior

Email adresses < 32 character length work for login
Email with > 32 characters are denied login

Possible Solution

Find hidden 32 character limit

Steps to Reproduce (for bugs)

1 . Setup DEX as oidc provider
2. Use Email as login for DEX (configured in DEX)
3. Try login with an email adresss which is longer than 32 characters --> BUG
4.

Context

Heavily, as some of my more important users are not able to use minio.

Regression

Not known

Your Environment

• Version used (minio --version):
  minio version DEVELOPMENT.2022-04-30T22-23-53Z

• Server setup and configuration:
  Kubernetes 1.23
  DEX which is rolled out by argo-cd helm chart: argo-cd-4.5.8 v2.3.3

• Operating System and version (uname -a):
  Linux minio-6cfd4997df-tf4n8 5.16.18-200.fc35.x86_64 Full restructure in accordance with minio#1 SMP PREEMPT Mon Mar 28 14:10:07 UTC 2022 x86_64 GNU/Linux

• OIDC Variables (domain names changed for security, also credentials)

• name: MINIO_IDENTITY_OPENID_CONFIG_URL
  value: "https://argocd.example.com/api/dex/.well-known/openid-configuration"
• name: MINIO_IDENTITY_OPENID_CLIENT_ID
  value: "argocd-repo-creds-minio-prod-sso"
• name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
  value: "xxxxxxxxxx"
• name: MINIO_IDENTITY_OPENID_CLAIM_NAME
  value: "email"
• name: MINIO_IDENTITY_OPENID_SCOPES
  value: "openid,email,groups,profile,offline_access"
• name: MINIO_IDENTITY_OPENID_REDIRECT_URI
  value: "https://minio.example.com/oauth_callback"

[PGaus]

After further research I saw that the response to the api/v1/login/oauth2/auth POST contains a malformed response cookie. The error the browser reports is that the cookie generated by the minio "cookie is too large. The combined size of name and value has to be less or equal to 4096 characters."
Question is now why the cookie gets so big? Potential reason is, that my user belongs to a lot of groups.

[kaankabalak]

After further research I saw that the response to the api/v1/login/oauth2/auth POST contains a malformed response cookie. The error the browser reports is that the cookie generated by the minio "cookie is too large. The combined size of name and value has to be less or equal to 4096 characters." Question is now why the cookie gets so big? Potential reason is, that my user belongs to a lot of groups.

I can verify that this is the case indeed, the 4096 character limit for the cookie seems to be a browser limitation. However, I was able to log in with a user that had a username larger than 32 characters, who wasn't part of many groups.

We are taking a look at if it's possible to reduce the size of this cookie, we will keep you updated. 👍

[kaankabalak]

Closing this in favor of #1838