Skip to content

400 Request Header Or Cookie Too Large error in OIDC with WASOidcNonce cookies  #32803

New issue
New issue
Open
Open
400 Request Header Or Cookie Too Large error in OIDC with WASOidcNonce cookies #32803
Assignees
barbj
Labels
release bugThis bug is present in a released version of Open Liberty
@barbj

Description

@barbj
barbj
opened on Sep 9, 2025

Describe the bug
When OIDC authentication requests on not completed, the WASOidcNonce cookies are not deleted. After a while, you will get a 400 Request Header Or Cookie Too Large error.

Steps to Reproduce

  1. Protect an endpoint with OIDC
  2. Open a tab and hit the endpoint, don't login
  3. Open another tab and hit the endpoint, don't login

The URL cookies have an expiration on them, but the nonce cookies do not.

Expected behavior
The WASOidcNonce cookies have an expiration date and are deleted after a few minutes.

Diagnostic information:

  • Affected feature(s) openidConnectClient-1.0

Metadata

Metadata

Assignees

Labels

release bugThis bug is present in a released version of Open Liberty

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions