Facing 431 Request Header Fields Too Large error

[hirenoble]

I'm submitting this issue for the package(s):

• jwt-verifier
• oidc-middleware

I'm submitting a:

• Bug report
• Feature request
• Other (Describe below)

Current behavior

When the browser cookies payload is large receiving 431 Request Header Fields Too Large error.

Expected behavior

The @okta/oidc-middleware package should handle the request headers.

Minimal reproduction of the problem with instructions

Extra information about the use case/user story you are trying to implement

Environment

• Package Version:
• Browser:
• OS:
• Node version (node -v):
• Other:

[swiftone]

@hirenoble - Thanks for the feedback. For clarity, you're receiving this from the express server on a page you're serving, correct? Do you have an example cookie payload size (don't need the exact cookies, but a payload size to reproduce the error).

[aarongranick-okta]

internal ref: OKTA-367034

[swiftone]

Note: This may be due to a node fix of this issue: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/#denial-of-service-with-large-http-headers-cve-2018-12121

The fix sets the max size of headers to be 8kb. (you can see this in node --help) If you are exceeding that, you can alter this limit by using the --max-http-header-size flag, for example: --max-http-header-size=16384

Please let us know if you're hitting this limit of node or if you're hitting a different limit that is somehow related to this SDK.