next-auth.session-token not being created for some users

[hectorakemp]

Question 💬

Some of our users are unable to log in to our site.

We use next-auth to link our own custom OAuth implementation with our various user-facing applications. 99% of users are able to use it without issues, but several users have reported problems with the session callback.

We run our NextJS app behind an NGINX reverse proxy.

These users used to just get straight 502s (oauth2-proxy/oauth2-proxy#646) due to the proxy buffer being set too small. Raising it from 4 to 8k solved that issue - but the profile object still does not get created for these users.

They have correct and valid access grants and tokens (which successfully authenticate with our OAuth backend) but the Bearer token is never sent (causing the request to our profileUrl endpoint to 403). These users all have Host-next-auth.csrf-token and __Secure-next-auth.callback-url cookies, but are missing __Secure-next-auth.session-token, which stores the token needed to fetch the profile object.

My question is: Why isn't the session-token cookie being set for these users? Are they running into some kind of browser limit for per-request cookies?

How to reproduce ☕️

Disable the ability to set next-auth.session-token on any implementation of NextAuthJS.

Contributing 🙌🏽

Yes, I am willing to help answer this question in a PR

[balazsorban44]

It doesn't sound like an issue with next-auth. We don't respond with 502 errors anywhere. Sounds like an nginx config issue. Make sure you don't exceed the 4kb/cookie limitation if you use a jwt cookie persisted session (instead of db persisted ones)

https://next-auth.js.org/faq#what-are-the-disadvantages-of-json-web-tokens

Make sure you don't have some legacy or weird analytics cookie exceeding the limit either.

BTW, since Node 13, the default size is 16kb in Node
https://nodejs.org/api/cli.html#cli_max_http_header_size_size

Might be a good idea to match that in nginx

[balazsorban44]

Update, cookie chunking is on the way! #3101 🎉