Sadly, this isn’t about baking cookies, sorry. Recently, I’ve had a container that is running a .NET front end application, identity is provided using Azure Active Directory in the form of an app registration.
Read more: Solving Request Header Or Cookie Too Large Error in Nginx
What I noticed was that occasionally, I would get requests that would show the Nginx error page with a 400 Bad Request — Request Header or Cookie Too Large error. In my configuration I have traffic coming through Azure Front Door, over a Private Link to Azure Kubernetes Service.
I can obviously tell that the error is generated from Nginx, but I checked Azure Front Door to see if any security options were causing this downstream of the request. This turned up clean.
When I looked a the authentication cookie stored by the identity service, I found it was huge, and this was almost certainly causing the issue. I started looking at configuration options, thanks to an issue on GitHub I looked at adding large-client-header-buffers to the ConfigMap but this had little effect.
In my current scenario, users have a large number of groups, thanks in large to Azure Lighthouse, used by MSPs primarily for access management to tenants. At a group per customer, this creates a long list pretty quickly.
For me, resolving this issue was just a case of stopping groups getting sent over in the claims upon authentication. I don’t need groups for this application so it was an easy compromise. However, if I need group membership, that would present a problem. Sadly, it’s not something I’ve managed to research yet.
You could of course specify specific types of groups if this would help with your scenario. Or you can remove the sending of group claims altogether like I did.
Martyn Coupland 