Fix HTTP431 Request header fields too large

Posted on July 12, 2023 by erictummers

We’re developing an aspnet core website with webapi backend all on a cloud platform. The auth part is implemented with openidconnect and cookies. Every tab is a new application to reduce release and test times. For the website / applications we have a razor class library that contains the main layout. See all posts in this series cloudnative

Today we received feedback that some users experience a HTTP431 exception when browsing the website. This was right after we added the access_token so it had to be that. The message is “request header fields too large” – would this be the feared token bloat where some users would have endless claims making the token too large?

Turns out we’re not alone and the solution for this was already on GitHub: https://github.com/dotnet/aspnetcore/issues/30016. Our solution was to remove SaveTokens = true and add the access_token on the OnTokenResponseReceived event (we’re using codeflow) Solution in code below.

.AddOpenIdConnect(opt =>
  // o.SaveTokens = true; // results in HTTP431 for some users
  opt.Events = new OpenIdConnectEvents() {
    OnTokenResponseReceived = c => {
      c.Properties.StoreTokens(new[] { 
        // store only the access_token
        new AuthenticationToken {
          Name = "access_token",
          Value = c.TokenEndpointResponse.AccessToken
        }
      });
      return Task.CompletedTask;
    }
  };

In the developer tools (F12) on the application tab you can see the cookie for the website. With SaveTokens = true it would be 7 or more chunks. After the change the cookie was only 2 chunks. Problem solved.

Posted in Development | Tagged | 1 Comment

Unable to unprotect the message.State

Posted on July 11, 2023 by erictummers

We’re developing an aspnet core website with webapi backend all on a cloud platform. The auth part is implemented with openidconnect and cookies. Every tab is a new application to reduce release and test times. For the website / applications we have a razor class library that contains the main layout. See all posts in this series cloudnative

Debugging on localhost worked like a charm. But after deploying with 2 instances we received errors. The logging showed: “Unable to unprotect the message.State”. We found that this was documented on https://github.com/AzureAD/microsoft-identity-web/wiki/Deploying-Web-apps-to-App-services-as-Linux-containers#issue-with-scaled-out-web-apps-in-app-services. Since we used 2 instances the encryption key of one instance was unknown to the other instance – the keys needed to be shared.

We configured the applications to use Redis for saving (and sharing) the keys. This also solved the requirement that a user should only login once and have access to all applications.

Posted in Development, Security | Tagged , | Leave a comment

StaticWebAssets and localhost

Posted on July 7, 2023 by erictummers

We’re developing an aspnet core website with webapi backend all on a cloud platform. The auth part is implemented with openidconnect and cookies. Every tab is a new application to reduce release and test times. For the website / applications we have a razor class library that contains the main layout. See all posts in this series cloudnative

Debugging the application on localhost showed HTTP404 when loading the css and js files from the razor class library. Turns out we needed to configure UseStaticWebAssets when running on localhost. This is a feature that is set when the environment is development, but since we use localhost we had to include this code.

if(builder.Environment.IsLocalhost())
{
    builder.WebHost.UseStaticWebAssets();
}
Posted in Development | Tagged , | Leave a comment

TEQnation 2023

Posted on May 22, 2023 by erictummers

Visiting TEQnation has brought me back in contact with people outside my organisation. Sometimes you need to look elsewhere to get forward in technology. I’ll try to write down what I learned today and hope to see you on the next technology event.

Of course Artificial Intelligence (AI) was on the agenda. Github copilot was the first to be mentioned. You’ll first need to understand the programming language before you can put copilot suggestions into productie so don’t let juniors use it – on the other hand you can train your juniors by using copilot. ChatGPT is a big step. In the future AI will be able to create complete software solutions for us. These solutions will be monoliths because they are easier to handle. No need to worry for your job, because DEVOPS is 10% tools, 10% product and 80% people.

In collaborative software design the people part was handled. Humans have emotions and are biased among others. You need to manage the humans. The idea started by helping an Architect and ended with writing a book (https://www.manning.com/books/collaborative-software-design)

Next was security. Our solutions are based on packages (Nuget, npm) for the big part. Most packages depend on other packages. We all remember log4j last December. It is important to keep an eye on your dependencies. After a feature is complete you still need to maintain it by updating the dependencies. For this you’ll need a security solution that is developer focused, executive supported, with clear guardrails, time for coaching and mentoring. And reward / recognise the teams that are applying it.

Openshift has a solution that provides desktop like developer experience where the tools are inside a container. Loads of demo’s. Based on an open standard https://devfile.io

Michael Cote had a talk about developer platforms. He worked at pivotal and moved to VMWare when it acquired pivotal. His slides show the way to create a developer platform (https://cote.io/platform/) Since it is meant for developers, make sure to treat the developer as a customer and have developers work on the platform.

The day started with the talk from Post NL. The only rule for software development was Infrastructure as code and hosting on a public cloud provider. There I heard about https://backstage.io to create a catalog of services. These services would proces the data with GraphQL. Slides are in markdown here https://github.com/patrickdronk/data-mesh-slides

Another concept heard during multiple talks was Shift Left. Test early and test often. We all do this, right ๐Ÿ˜ฎ

For developers by developers

TEQnation is the software development conference designed for teamleads, architects and project management. But most of all itโ€™s organized for developers by developers. The Developer Conference of Tomorrow: TEQnation 2023 brings the best of the best speakers, various exhibitors, live demonstrations and numerous networking opportunities.

https://teqnation.com/general-information/

Posted in Conference | Tagged , , , , , , | Leave a comment

Laptop ergonomics on the go

Posted on February 11, 2023 by erictummers

I’m working on a laptop for some time now. When I work in my home office I can hook up an external monitor and full size keyboard/mouse. When I work on the go like in the library or coffeeshop I use the nextstand and the Logitech K380/pebble.

The nextstand raises the laptop high enough so it is level with my eyes. It folds into a small stick that can easily fit into my bag. From all the stands I’ve used this one checks all the boxes. It looks fragile but seems to hold up without problems for about 3 months now.

Both the keyboard (K380) and mouse (pebble) are connected via bluetooth. They are battery powered and use little power. When the batteries are depleted I’ll put in rechargeables. The typing experience is awesome: feels just like the MacBook keyboard with enough travel and feedback. I would appreciate some extra buttons on the mouse though.

Small extra weight for good laptop ergonomics on the go.

Posted in Uncategorized | Tagged , , | Leave a comment