docker login failed with "HTTP 400 Bad Request - Request Header Or Cookie Too Large " error when using VM managed identity authentication

[boliu83]

Describe the bug
Docker CLI login using Azure VM managed identity failed with HTTP 400 Bad Request - Request Header Or Cookie Too Large error when the AAD access token exceeds certain size (6089 characters in my test).

AAD access token obtained from IMDS auth endpoint normally is much smaller than 6089 characters, however in some cases e.g. identity is member of large number of security groups, then token size can grow beyond 6089 charaters due to the list of groups membership is also included in the access token.

This issue has already been reported to ACR PG. Creating issue here as requested by the end customer so he can track the status of the fix.

To Reproduce
Steps to reproduce the behavior:

1. Generate token/password with 6090 characters or more. for testing purpose this does not have to be an actual AAD access token.
   TOKEN=strings /dev/urandom | tr -dc A-Za-z0-9 | head -c6090

2. Run docker login using the token
   docker -D login -u 00000000-0000-0000-0000-000000000000 -p $TOKEN fqdn.azurecr.io

3. Expect the login to fail due to 400 Request Header Or Cookie Too Large error

Expected behavior
Docker login should succeed when using AAD token regardless of the size of group list in the token.

Screenshots

Any relevant environment information

• OS: [e.g. Ubuntu, Windows]
• Azure CLI/PowerShell/SDK version
• Docker version
• Datetime (UTC) when the issue occurred
• Registry and image names

Additional context
Add any other context about the problem here.

If any information is a concern to post here, you can create a support ticket or send an email to acrsup@microsoft.com.

[toddysm]

@johnsonshi Can you please take a look and try to reproduce this. We need to think if there are any limits that need to be enforced.

[johnsonshi]

@toddysm and @boliu83, I've managed to reproduce this.

For context, the current authN flow with ACR is:

1. ACR first performs an AAD access token size check to prevent against abuse through spamming randomly generated large tokens with large numbers of claims.
2. If the AAD access token size is under a limit (in this case 6089 chars or less), ACR then actually checks the validity of the token authN request and the claims.

The issue is that AAD does not prescribe any max token sizes. The more claims (roles, group membership, user attributes) included in the token, the larger it becomes. Customers seem to be facing the ACR-imposed limit in production nowadays due to the large numbers of claims in production real-world customer authN scenarios.

I'll discuss this with the ACR PG team to see if increasing the valid access token size (during step 1 validation in my described flow above) is something we plan on doing.