Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenID sub token too long for Cognito (max 128) #3816

Open
3 tasks done
christian-vdz opened this issue Oct 29, 2024 · 1 comment
Open
3 tasks done

OpenID sub token too long for Cognito (max 128) #3816

christian-vdz opened this issue Oct 29, 2024 · 1 comment

Comments

@christian-vdz
Copy link

christian-vdz commented Oct 29, 2024
edited
Loading

Preflight Checklist

  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • I am not looking for support or already pursued the available support channels without success.

Version

2.41.1

Storage Type

Postgres

Installation Type

Official Helm chart

Expected Behavior

Dex provides OpenID sub token to Cognito and Cognito creates corresponding user in user pool.

Actual Behavior

Dex provides OpenID sub token to Cognito but Cognito returns following error:
1 validation error detected: Value at 'userName' failed to satisfy constraint: Member must have length less than or equal to 128 .

Steps To Reproduce

Use Dex as "backend" for Cognito (Cognito -> Dex -> LDAP).
Sub token issued by IDP seems to be longer than 128 characters with long user id (in my case, email or name from ldap).

Additional Information

As per https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html. the AdminCreateUser accepts username only up to 128 chars:

Username
The username for the user. Must be unique within the user pool. Must be a
UTF-8 string between 1 and 128 characters. After the user is created,
the username can't be changed.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Configuration

No response

Logs

No response
@ProbstDJakob
Copy link

I do not know Cognito, but the official OIDC specs state that the sub must not exceed 255 characters. This does not mean dex is required to provide a sub with 255 characters, but at least it is not breaking the spec when exceeding 128 characters. Therefore, if Cognito officially supports OIDC, this is a bug in Cognito and should be addressed by AWS. Furthermore, only the combination of sub and iss is guaranteed to to be unique, thus Cognito should save something like <sub>@<iss> or similar. Since the OIDC specs do not limit the length of the iss but require it to be a URL, the problem of the username only supporting 128 characters gets worse. The RFC 9110 section 4.1 states that it is recommended to support URIs with, at minimum, 8000 characters (octets). Therefore Cognito (or any other service provider) should at best not limit username lengths (and support all URL characters) or at least support a reasonable length of 512 or something alike.

Irrespective of this, dex currently does not comply with the OIDC specs and potentially even exceeds the sub max length of 255. The issue #4018 addresses that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ProbstDJakob @christian-vdz