Skip to content

Slim down cookies#285

Merged
mjudeikis merged 3 commits into
kbind-dev:mainfrom
xrstf:slim-cookie
Aug 19, 2025
Merged

Slim down cookies#285
mjudeikis merged 3 commits into
kbind-dev:mainfrom
xrstf:slim-cookie

Conversation

@xrstf

@xrstf xrstf commented Aug 19, 2025

Copy link
Copy Markdown
Contributor

Summary

Depending on the crypto settings, but more likely depending on the number of groups a user is in, the size of the generated access, refresh and ID tokens can be quite large. However browser cookies are limited to 4KB per origin.

Thankfully kube-bind's example backend doesn't actually need any of the large tokens, neither does it need the user groups. So for this implementation it's possible to simply store much less in the cookie.

This is what this PR achieves. We now only store the issuer and subject from the original ID token. When testing using the quickstart guide, the size of my cookie went down from 2,476 to 492 bytes. And I suspect it won't grow much beyond that, unless your issuer is https://examplesareoftennotenoughsometimesyouneedawizardtoexplainthebasicsofmagictoyou.edu.

Since the cookie is now much smaller and hopefully stays small, I have removed the example compression functions, as well as the example (?) function to parse the cookie SameSite attribute. Not sure why that one ever existed.

I also made the name of the cookie less random, but still per-cluster, so that fewer information needs to be transmitted via query string parameters. There is IMHO no need to have multiple sessions open for the same cluster and the same backend.

For the cookie settings, I have removed the TODO for the HttpOnly flag. With the example backend there is absolutely no reason to make this actually configurable. The same applies to the SameSite flag, which is purely dependent on how the example backend is implemented and doesn't need to be configurable. Likewise I extracted the secure flag, in preparation of supporting HTTPS mode for the example backend if we ever need it.

I also fixed a few log statements that were using Info instead of Error.

And lastly, noticed during testing, I fixed make dex/bin/dex.

What Type of PR Is This?

/kind bug

Related Issue(s)

Fixes #136

Release Notes

The example backend stores less data in the session cookie and should be more compatible with a variety of OIDC provider setups.

@xrstf xrstf requested a review from a team as a code owner August 19, 2025 14:50
return &http.Cookie{
Name: name,
Value: value,
Path: "/", // TODO: make configurable

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we might also drop all the TODOs

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking that someone might expose this backend behind an Ingress with a PathPrefix, so the TODO for the Path felt valid.

cnvergence
cnvergence previously approved these changes Aug 19, 2025
xrstf added 3 commits August 19, 2025 18:36
On-behalf-of: @SAP christoph.mewes@sap.com
On-behalf-of: @SAP christoph.mewes@sap.com
@mjudeikis mjudeikis merged commit d449a8e into kbind-dev:main Aug 19, 2025
5 checks passed
@xrstf xrstf deleted the slim-cookie branch September 15, 2025 10:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

securecookie: the value is too long error when using more complex encryption algorithms for oAuth

3 participants