Proxy auth backend does not support cookie splitting

sdbruder · June 30, 2025, 3:20pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

opensearch 2.19.1 & equivalent dashboard.

Describe the issue:

After implementing dashboard auth with OpenID we ended up going to oauth2-proxy with the proxy authentication backend because of the lack of group overage when using an entra ID app, which solved our too-many-groups users, but now the cookie setup by dashboards is too big (16KB and something).

We’ve discovered that other backends have cookie splitting, but not proxy backend.

Any know way to solve this?

Configuration:

Relevant Logs or Screenshots:

pablo · July 2, 2025, 10:17am

@sdbruder According to OpenSearch GitHub the cookie splitting was implemented for SAML and OpenID to handle too many roles issue.

github.com/opensearch-project/security-dashboards-plugin

[BUG] opensearch login not working with more than 15 roles assign to user

opened 10:42AM - 29 Aug 23 UTC

closed 05:51PM - 20 Mar 24 UTC

Rajat0312

bug triaged

Hey, Currently i am using OpenSearch 1.3.X version and in this version i am fac…ing Too large Cookie issue https://github.com/opensearch-project/security/issues/374 this issue is solved in 2.7 version but i need some workaround for 1.3.X version to solve this issue. When i am using user with around 10-12 roles it works but when i increate roles up to 15 then not able to login to OpenSearch-dashboard. and can anyone tell me about how this works like where JWT token is created either in OpenSearch or in OpenSearch-dashboard and from where cookies sets.

I couldn’t find anything related to proxy.

Would you mind creating a feature reqeust in the OpenSearch Github?

sdbruder · July 2, 2025, 11:11am

Doing it. here: [FEATURE] Cookie splitting is also needed in the proxy auth backend · Issue #2276 · opensearch-project/security-dashboards-plugin · GitHub

Topic		Replies	Views
JWT token size with Security	2	554	January 31, 2023
I want to configure opensearch dashboards behind a reverse proxy, that will do the SSL authentication for me Security	12	3378	August 31, 2023
Can you use proxy authentication and basic auth together for OpenSearch dashboards? Security	6	660	February 22, 2024
OpenSearch Auth Fails to Retrieve Backend Roles from LDAP when Authenticating via Dashboards OpenSearch Dashboards troubleshoot	2	18	June 4, 2025
OpenID with Auth0 Security troubleshoot	14	88	December 17, 2024

Proxy auth backend does not support cookie splitting

Related topics