OAuth2: Creating an access token with "too many" scopes fails

[DonMartin76]

Summary

If you try to create an access token for an OAuth2 API using the implicit grant, and you have assigned too many scopes to the access token, Kong fails at the /oauth2/authorize end point with a 500 return code. I have found that around 1500 scopes (formed like this: scope_1 to scope_1500) are sufficient to trigger this behaviour.

Steps To Reproduce

1. Create an API with an OAuth2 plugin having 5000 different scopes (scope_1 to scope_5000); this works.
2. Create a consumer with an OAuth2 plugin having client id and secret
3. Authorize an end user for 1500 scopes or more
4. Tada.

Additional Details & Logs

• Kong version 0.9.3 (in docker)
• Kong error logs (<KONG_PREFIX>/logs/error.log):

2016/10/25 13:40:32 [warn] 83#0: *611 a client request body is buffered to a temporary file /usr/local/kong/client_body_temp/0000000001, client: 172.24.0.6, server: kong, request: "POST /mobile/oauth2/authorize HTTP/1.1", host: "kong:8000"
2016/10/25 13:40:32 [error] 83#0: *611 lua entry thread aborted: runtime error: /usr/local/share/lua/5.1/kong/plugins/oauth2/access.lua:97: bad argument #1 to 'decode' (string expected, got nil)
stack traceback:
coroutine 0:
    [C]: in function 'decode'
    /usr/local/share/lua/5.1/kong/plugins/oauth2/access.lua:97: in function 'retrieve_parameters'
    /usr/local/share/lua/5.1/kong/plugins/oauth2/access.lua:125: in function 'authorize'
    /usr/local/share/lua/5.1/kong/plugins/oauth2/access.lua:425: in function 'execute'
    /usr/local/share/lua/5.1/kong/plugins/oauth2/handler.lua:12: in function 'access'
    /usr/local/share/lua/5.1/kong.lua:164: in function 'access'
    access_by_lua(nginx-kong.conf:62):2: in function <access_by_lua(nginx-kong.conf:62):1>, client: 172.24.0.6, server: kong, request: "POST /mobile/oauth2/authorize HTTP/1.1", host: "kong:8000"

• Operating System: running official kong docker image on Mac OS X (but shouldn't matter)

[DonMartin76]

This is related to #1759, and came up when actually trying to work with that many different scopes (integration tests). This is not a super usual kind of situation, but there are definitely users which would have all product licenses, and thus would be assigned all scopes.

[DonMartin76]

Probably somewhat related to #700 and possibly #702.

[DonMartin76]

The limit seems to be 10k; I see that the client_body_buffer_size is set to 10m, so why is this an issue with the OAuth2 plugin? Can I tweak this somewhere else for plugins?

[supermp]

I have a similar issue here.
When I make a normal request, the request body can be 10m. (related to #702)
But when I make a request under OAuth2 plugin, the limit of the requst body still remains 10k.

[p0pr0ck5]

Thanks for the report @DonMartin76. With 4c907bc request body handling is now more easily configurable, allowing users to avoid buffering request bodies to disk. The solution here will be to increase the client_body_buffer_size as appropriate. It was previously undefined in the proxy server block, using the default 8k on x86/64 architectures (two memory pages); the 10m limit noted above applies to the Admin API, not the proxy port.

Thanks for the report!