OIDC with AzureAD error="securecookie: the value is too long: 4848"

[13BTurbo]

I'm trying to setup nginx-sso for our tenancy on AAD and am getting the following error in nginx-sso?

time="2025-02-13T20:32:24Z" level=error msg="Login failed with unexpected error" error="securecookie: the value is too long: 4848"
{"error":"securecookie: the value is too long: 4848","event_type":"login_failure","go":"https://xxxxxxxxxxxxxx/","headers":{},"reason":"error","remote_addr":"xxxxxxxxxxxx","timestamp":"2025-02-13T20:32:24Z"}

This occurs after the Microsoft SSO request on the redirect to /login?code=xxxxxxxxxxxxx&state=oidc&session_state=xxxxxxxxxxxxx#

[Luzifer]

Same issue as with Keycloak: The token returned from the server is too long to be stored inside one cookie which is the way nginx-sso stores the session. This needs a rewrite to store the session server-side and only reference it on the client.

Sadly currently I don't have the capacity to fix this (which also stalls my usage of Keycloak for SSO on my clusters)…

[13BTurbo]

Thanks for the super prompt reply.

[medva1997]

Same issue as with Keycloak: The token returned from the server is too long to be stored inside one cookie which is the way nginx-sso stores the session. This needs a rewrite to store the session server-side and only reference it on the client.

Sadly currently I don't have the capacity to fix this (which also stalls my usage of Keycloak for SSO on my clusters)…

A workaround for Keycloak is to disable unused client scopes.
In my case, it was sufficient to set the assigned type to "Optional" for the client scopes (roles, web-origins, and profile) under:
Keycloak → Clients → ${client} → Client Scopes