Any way to shorten the callback URLs, post move to HPKE? Causing 414s from AWS ALB

What happened?

Since upgrading to 0.21.0 it looks like the callback URL from the IDP (at least from Azure AD) has moved from the form.




The latter is massively longer, 11kb vs 1kb for my account. Some users (presumably with more groups to be passed) are receiving HTTP 414 errors from the AWS ALB we have in front of Pomerium. That implies that the request line has gone beyond AWS’s 16kb limit.

What did you expect to happen?

Ideally the handover could be accomplished via a shorter method.

Not really sure of any of the context of moving to HPKE, hence wanting to start this discussion as to whether it is possible to achieve the same goals but with a terser handover string. Maybe encoding in a different alphabet / omitting some fields?

Are there any configuration settings that can be adjusted to try to get the URL size down?

How’d it happen?

As above. Login to a protected service and watch the URLS in browser devtools on callback.

What’s your environment like?

  • Pomerium version (retrieve with pomerium --version): v0.21.2
  • Server Operating System/Architecture/Cloud: Docker, running on EC2, behind an ALB

What’s your config.yaml?

Very, very standard. Just an IDP provider setup for Azure and a few routes.

What did you see in the logs?


Additional context


1 Like

Please check whether your IdP is maybe sending some excessive data in the Identity Token and maybe filter out the claims you do not need / use, to reduce the callback payload size.

i.e. some IdPs are known to return avatar picture as an blob in claims.