authentication redirect loop because of cookie too big (and not stored)
Closed this issue · 3 comments
Based on the provided example in https://github.com/zamzterz/cognito-demo I configured an AWS Cognito user pool and try to run it.
I am not yet at the MFA part, just trying to log in with a username and password (MFA set to optional).
Calling the flask app root URL redirects to Cognito UI, login happens and then the log below is provided.
After several redirect loops the process breaks and an error is displayed.
I suspect the cookie is too big, so it's not stored in the browser (checked, it really isn't) then it obviously can't be presented. Cognito thinks I am already logged in, flask app thinks I'm not, here comes the loop.
What / how should I change/configure to fix this?
Smaller cookie somehow?
Thanks in advance!
2021-12-10 12:35:06.905 | DEBUG | flask_pyoidc.flask_pyoidc:wrapper:227 - user not authenticated, start flow
2021-12-10 12:35:06.906 | DEBUG | flask_pyoidc.flask_pyoidc:_authenticate:126 - auth_req: {"client_id": "xxx", "response_type": "code", "scope": "openid aws.cognito.signin.user.admin", "redirect_uri": "https://dev-yyy.com/redirect_uri", "state": "y6MbVqIkYeZJkQQo", "nonce": "PH5qsKEBEkg2ga01"}
2021-12-10 12:35:06.907 | DEBUG | flask_pyoidc.flask_pyoidc:_authenticate:129 - login_url: https://dev-yyy.com/oauth2/authorize?client_id=xxx&response_type=code&scope=openid+aws.cognito.signin.user.admin&redirect_uri=https%3A%2F%2Fdev-xxx%2Fredirect_uri&state=y6MbVqIkYeZJkQQo&nonce=PH5qsKEBEkg2ga01
10.84.32.93 - - [10/Dec/2021 12:35:06] "GET / HTTP/1.1" 302 -
2021-12-10 12:35:07.295 | DEBUG | flask_pyoidc.flask_pyoidc:_handle_authentication_response:163 - received authentication response: %s
/home/ubuntu/.local/lib/python3.8/site-packages/werkzeug/sansio/response.py:234: UserWarning: The 'session' cookie is too large: the value was 4231 bytes but the header required 65 extra bytes. The final size was 4296 bytes but the limit is 4093 bytes. Browsers may silently ignore cookies larger than this.
dump_cookie(
10.84.32.93 - - [10/Dec/2021 12:35:07] "GET /redirect_uri?code=510ddb6e-8b58-4176-af99-d082704f3d79&state=y6MbVqIkYeZJkQQo HTTP/1.1" 302 -
2021-12-10 12:35:07.622 | DEBUG | flask_pyoidc.flask_pyoidc:wrapper:227 - user not authenticated, start flow
If you wonder the log above was delivered by loguru.
The Cognito pool is configured with a client secret. It works with cli.py after adding the needed hash function to it.
Your suspicion might be entirely correct, the cookie might be too big if the tokens issued by AWS Cognito are large
as the default behavior of Flask is to serialise the entire session content as the cookie value.
To get around it you should configure your Flask app to use some other session storage, for example server-side session storage as suggested in the Flask documentation.
Closing this as it's not directly related to this extension, but feel free to reopen if you find any issue. 🙂