10000 Invalid token when to many groups · Issue #169 · iits-consulting/otc-auth · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Invalid token when to many groups #169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bbung opened this issue May 15, 2025 · 3 comments
Open

Invalid token when to many groups #169

bbung opened this issue May 15, 2025 · 3 comments
Assignees
@Ninja243

Comments

@bbung
Copy link
bbung commented May 15, 2025
edited
Loading

Hi,

we are using OIDC with AzureAD and this works fine until we have more then 8 Groups in a user. I do get the following error message:

otc-auth login idp-oidc --overwrite-token
E0515 10:31:12.245137   81673 functions.go:58] fatal: status 400 , body:
{"error":{"code":400,"message":"Request parameter 'id token' is invalid.","title":"Bad Request"}}

As soon as i put my user in only 8 groups this error does no longer occur. The second thing that i observed: It also works when i explicitly logout from Azure AD.

I have no idea how to debug that. So any help would be appreciated.

Due to the general OIDC Group Limit in OTC we use roles from AD and map them to groups in OTC

Mapping rule:

[
          {
                    "remote": [
                              {
                                        "type": "email"
                              },
                              {
                                        "type": "roles"
                              }
                    ],
                    "local": [
                              {
                                        "user": {
                                                  "name": "{0}"
                                        }
                              },
                              {
                                        "groups": "{1}"
                              }
                    ]
          }
]```

We are requesting the following scopes: "profile,openid,email".

If you can point me in any direction on how to debug that issue. I can try get more information or find the issue myself. Currently i am a bit lost.

Thanks and regards,
Björn
@Ninja243
Copy link
Contributor

Hi! This sounds like an issue we've had previously which occurs when the length of the token is too long. We'll look into it!

@Ninja243 Ninja243 self-assigned this May 16, 2025
@bbung
Copy link
Author
bbung commented May 16, 2025
edited
Loading

Can the issue be caused by the mapping rule when we have a very long username?

To see our groups we had the groups added to the username: like:

[
          {
                    "remote": [
                              {
                                        "type": "email"
                              },
                              {
                                        "type": "roles"
                              }
                    ],
                    "local": [
                              {
                                        "user": {
                                                  "name": "{0} {1}"
                                        }
                              },
                              {
                                        "groups": "{1}"
                              }
                    ]
          }
]```

@Ninja243
Copy link
Contributor

Yeah that might be! As far as I know the issue is with the total length of the token, so if the username is part of that and is long, that might be a contributing factor.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Ninja243 Ninja243

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bbung @Ninja243
0