Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why doesn't claims transformation reduce the cookie size?

I am using Azure AD (.net core 2.1) and have registered my app and configured it to return AD groups as claims. I am also using claims transformation to remove all group claims other than the three groups that my app uses, which successfully eliminates over 100 groups. I did this hoping that it would reduce the size of the cookie in subsequent request headers, but this does not appear to be the case.

Whether I use the claims transformation or not, the cookie size is the same: Cookie Size

I know that the claims transformation is working, because I have a simple page that iterates the claims in a list, and it correctly shows only the three groups when I have the filter in place.

As a result of the large cookie, I am getting HTTP 400 - Request too long. I can work around this by modifying the registry on the web server (as suggested elsewhere https://support.microsoft.com/en-us/help/2020943/http-400-bad-request-request-header-too-long-response-to-http-request), but my real question is what is the point of filtering the claims if the size of the cookie remains unchanged?

I would also be interested to know if there is an app setting that I could use to increase the max header size, to avoid having to modify the registry.

I'm not sure if the code is really relevant here, but here are a few snippets:

public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
{
        var identity = principal.Identity as ClaimsIdentity;
        if (identity != null)
        {
            var unused = identity.FindAll(GroupsToRemove).ToList();
            unused.ForEach(c => identity.TryRemoveClaim(c));
        }
        return Task.FromResult(principal);
}

The filter is registered as a singleton in Startup.cs:

services.AddSingleton<IClaimsTransformation, FilterGroupClaimsTransformation>();
like image 484
Dominick Avatar asked Jul 12 '18 21:07

Dominick


1 Answers

Brad answered the question as to why the cookie size did not change by using claims transformation. Here is the code I used to reduce the cookie size, thanks to his suggestion:

In Startup.cs, ConfigureServices()...

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(...)
       .AddCookie(options => options.Events.OnSigningIn = FilterGroupClaims);
}

private static Task<ClaimsPrincipal> FilterGroupClaims(CookieSigningInContext context)
{
    var principal = context.Principal;
    if (principal.Identity is ClaimsIdentity identity)
    {
        var unused = identity.FindAll(GroupsToRemove).ToList();
        unused.ForEach(c => identity.TryRemoveClaim(c));
    }
    return Task.FromResult(principal);
}

private static bool GroupsToRemove(Claim claim)
{
    string[] _groupObjectIds = new string[] { };    // pull from config or whereever
    return claim.Type == "groups" && !_groupObjectIds.Contains(claim.Value);
}

For my end solution, I moved the static methods inside another class, but I kept everything inline here for brevity. Cookie size reduced from 6 chunks to 2 with this method.

like image 165
Dominick Avatar answered Oct 07 '22 00:10

Dominick