SimpleIdServer icon indicating copy to clipboard operation
SimpleIdServer copied to clipboard
verified publisher icon simpleidserver

Cookie Claims Causing HTTP 431 (Request Header Too Large) – Need Configurable/Reduced Claims

Open HappyRoot opened this issue 8 months ago • 3 comments

Hello,

We’re encountering an issue where the system includes all claims in the cookie by default, leading to excessively large headers. This triggers HTTP 431 errors ("Request Header Fields Too Large") due to web server limitations (e.g., Nginx/Apache defaults).

Problem:

Current implementation doesn’t appear to allow customization or reduction of cookie claims.

This becomes a hard blocker in environments with strict header size limits.

Request: Could we either:

Make claims in cookies configurable (e.g., allow an allowlist/denylist), or

Reduce the default payload to only critical claims (e.g., sub, sid)?

This would align with security best practices (minimizing exposed data) and prevent infrastructure issues.

Workarounds we’ve tried:

Adjusting web server settings (not always feasible).

[Add other attempts if applicable].

Thank you for your attention—let me know if further details would help!

Best regards, Happy

HappyRoot avatar May 29 '25 06:05 HappyRoot

On our side, we implemented the following solution (overrode the UserTransformer, specifically the Transform method) - it might be a good idea to make it virtual :)

I can create a pull request to make the method virtual, if you agree and think it would be helpful

public static IServiceCollection AddExtendedUserTransformer(this IServiceCollection services)  
{  
    return services.Replace(  
        ServiceDescriptor.Scoped<IUserTransformer, UserTransformerExtended>()  
    );  
}

....

internal class UserTransformerExtended : UserTransformer, IUserTransformer
{
    public new ICollection<Claim> Transform(User user)
    {
        var result = new List<Claim>
        {
            new Claim(ClaimTypes.NameIdentifier, user.Name)
        };

        if (!string.IsNullOrWhiteSpace(user.Firstname))
            result.Add(new Claim(ClaimTypes.Name, user.Firstname));
        if (!string.IsNullOrWhiteSpace(user.Lastname))
            result.Add(new Claim(ClaimTypes.GivenName, user.Lastname));

        return result;
    }
}

HappyRoot avatar May 29 '25 08:05 HappyRoot

Hello,

You're right — this is indeed an issue in the current implementation. The user transformer should not store all the claims in the cookie. We will remove this feature and make the method virtual. I'm really glad you were able to find a solution to work around this issue. :)

KR, SID

simpleidserver avatar May 29 '25 18:05 simpleidserver

The issue has been fixed in the release/v6.0.3 branch. We made the following modifications:

  • Only the following claims are now included in the cookie: NameIdentifier, FirstName, LastName, and Picture. All of these fields are required by the Identity Server UI.
  • The Transform function is now virtual, making it easier to override this function in a subclass.

Commit : https://github.com/simpleidserver/SimpleIdServer/commit/7acd5283c7c711d8d7fdb9f81ab72286d3157ff2

simpleidserver avatar May 31 '25 19:05 simpleidserver