Like many other posts on the internet relating to Auth0, we’re also experiencing problems with too large headers being sent back and fourth to proxy api’s. Now our stack looks like this:
NextJS monolith - Default 16kb header size limit → Now set to a maximum of 31.5kb
Secondary api - Default 16kb header size limit → Now set to a maximum of 31.5kb
Tertiary api - Default 16kb header size limit → Now set to a maximum of 31.5kb
This increase seems to go above the scope of what the NodeJS team intends, as this puts us at risk of a potential DDOS attack, from what I understand.
We have a client that has a bunch of groups for other IT systems that require to be able to read roles. We also require to see all the groups they are a part of to know how to map that group to our custom roles.
The problem is that one of these clients has around 27kb worth of cookies, split into 7 different session cookies (session_0…session_6), so we’ve attempted to increase the header size, but this does not seem to help in the long run.
How could this be mitigated? Can we avoid getting the AD groups and just request them on demand?
I hope I provided enough information - otherwise please get back to me if you are missing anything
I am sorry about the delayed response to your inquiry!
I believe the massive cookies set by your applications appears to be caused by the group claims retrieved from the AD connection. Since you have mentioned some of the users of your client have over 100 associated groups, this would be the only cause that I can think of in this situation.
My suggestion would be to use the beforeSessionSaved hook available in the NextJS SDK so that you filter only the default claims to the tokens and use the Management API to retrieve the user groups.
My other suggestion would be to disable in the Get User Groups attribute under the Extended Attributes configuration of the AD integration so that the groups claims are not retrieved during authentication. I am not 100% familiar with AD, however, would it be possible to use the AD REST API in order to retrieve the user’s groups?
I believe that you have also opened an issue on the SDKs Github page regarding the matter. Once I receive more information on the matter, I will come back with further updates, otherwise, my recommendation would be to wait for further information on the issue you have opened or you can submit a support ticket if your tenant is under one of our paid plans.
If you have any extra information on the matter or questions, let me know!
Thanks for responding. We’ve basically handled it like you said - and it works well.
So I can confirm this is a sane approach. We decided to request the groups from the management api when we needed to use them and just avoided returning it initially to the clients.
