Skip to content

Fix: Multi-Cookie Session Authentication Failure #5348

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
gazzadownunder wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix: Multi-Cookie Session Authentication Failure #5348

gazzadownunder wants to merge 2 commits into from
+8 −2

Conversation

@gazzadownunder
Copy link

@gazzadownunder gazzadownunder commented Dec 17, 2025

Issue: Multi-Cookie Session Authentication Failure #5347

Root Cause

File: pkg/proxy/proxy.go:54

When OAuth sessions exceed 4KB, oauth2-proxy automatically splits the session across multiple cookies:

Cookie names: obot_access_token_0, obot_access_token_1, obot_access_token_2, etc.
The base cookie obot_access_token does NOT exist in multi-cookie mode
The AuthenticateRequest() function only checks for the base cookie name:

func (pm *Manager) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
    // Check for the access token cookie.
    if _, err := req.Cookie(ObotAccessTokenCookie); errors.Is(err, http.ErrNoCookie) {
        return nil, false, nil  // ← Returns "not authenticated"
    }
    // ... rest of authentication logic
}

When the base cookie doesn't exist:

  1. req.Cookie() returns http.ErrNoCookie
  2. Function returns nil, false, nil (not authenticated)
  3. Middleware redirects to login page
  4. User already has valid session but cannot be authenticated

Solution

Check for both the base cookie and the first multi-cookie:

func (pm *Manager) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
    // Check for the access token cookie.
    // When sessions exceed 4KB, oauth2-proxy splits them into multiple cookies (_0, _1, _2, etc.)
    // so we check for either the base cookie or the _0 cookie.
    _, err := req.Cookie(ObotAccessTokenCookie)
    if errors.Is(err, http.ErrNoCookie) {
        // Try the _0 cookie for multi-cookie sessions
        if _, err := req.Cookie(ObotAccessTokenCookieZero); errors.Is(err, http.ErrNoCookie) {
            return nil, false, nil
        }
    }
    // ... rest of authentication logic
}

gazzadownunder and others added 2 commits December 17, 2025 13:41
@gazzadownunder @claude
Fix: Support multi-cookie sessions in OAuth authentication
a03b7f7 
When OAuth sessions exceed 4KB (typically from auth providers with many
roles/groups), oauth2-proxy splits the session across multiple cookies
named obot_access_token_0, obot_access_token_1, etc. In this mode, the
base cookie "obot_access_token" does NOT exist.

The AuthenticateRequest function only checked for the base cookie name,
causing authentication to fail for large sessions even though valid
session cookies were present. This resulted in users being redirected
back to the login page in an infinite loop.

This fix checks for both the base cookie (obot_access_token) and the
first multi-cookie (obot_access_token_0), allowing authentication to
succeed for both normal and multi-cookie sessions.

Impact:
- Fixes infinite login loop for users with large OAuth sessions
- Particularly affects Keycloak deployments with many roles/groups
- No impact on normal (<4KB) sessions

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@gazzadownunder
Merge branch 'obot-platform:main' into main
c885a38
@gazzadownunder gazzadownunder changed the title Bug: Multi-Cookie Session Authentication Failure Fix: Multi-Cookie Session Authentication Failure Dec 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gazzadownunder