What happened?
Since upgrading to 0.21.0 it looks like the callback URL from the IDP (at least from Azure AD) has moved from the form.
https://XXX/.pomerium/callback/?pomerium_expiry=123&pomerium_issued=456&pomerium_redirect_uri=XXX/&pomerium_session_encrypted=YYY&pomerium_signature=ZZZ
to
https://XXX/.pomerium/callback/?pomerium_hpke_query=YYY&pomerium_hpke_sender_pub=ZZZ
The latter is massively longer, 11kb vs 1kb for my account. Some users (presumably with more groups to be passed) are receiving HTTP 414 errors from the AWS ALB we have in front of Pomerium. That implies that the request line has gone beyond AWS’s 16kb limit.
What did you expect to happen?
Ideally the handover could be accomplished via a shorter method.
Not really sure of any of the context of moving to HPKE, hence wanting to start this discussion as to whether it is possible to achieve the same goals but with a terser handover string. Maybe encoding in a different alphabet / omitting some fields?
Are there any configuration settings that can be adjusted to try to get the URL size down?
How’d it happen?
As above. Login to a protected service and watch the URLS in browser devtools on callback.
What’s your environment like?
- Pomerium version (retrieve with
pomerium --version): v0.21.2 - Server Operating System/Architecture/Cloud: Docker, running on EC2, behind an ALB
What’s your config.yaml?
Very, very standard. Just an IDP provider setup for Azure and a few routes.
What did you see in the logs?
N/A
Additional context
N/A
