fix(frontend): store idToken in separate cookie to avoid size limit

jsell-rh · claude · jsell-rh · commit f00fbaf4fe0d · 2026-05-21T15:05:46.000-04:00
iron-session's cookie limit (4096 bytes) is exceeded when idToken is
included alongside accessToken and refreshToken — especially with
Keycloak identity brokering which produces large tokens.

Store idToken in a dedicated httpOnly oidc_id_token cookie. Logout
reads it from there for id_token_hint. Session type no longer includes
idToken.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/components/frontend/src/app/api/auth/sso/callback/route.ts b/components/frontend/src/app/api/auth/sso/callback/route.ts
@@ -39,7 +39,6 @@ export async function GET(request: NextRequest) {
     const session = await getSession();
     session.accessToken = tokens.accessToken;
     session.refreshToken = tokens.refreshToken;
-    session.idToken = tokens.idToken;
     session.expiresAt = tokens.expiresAt;
     await session.save();
 
@@ -50,7 +49,17 @@ export async function GET(request: NextRequest) {
     const origin = process.env.SSO_REDIRECT_URI
       ? new URL(process.env.SSO_REDIRECT_URI).origin
       : request.nextUrl.origin;
-    return NextResponse.redirect(new URL(returnTo, origin));
+    const response = NextResponse.redirect(new URL(returnTo, origin));
+    if (tokens.idToken) {
+      response.cookies.set("oidc_id_token", tokens.idToken, {
+        httpOnly: true,
+        secure: process.env.NODE_ENV === "production",
+        sameSite: "lax",
+        path: "/",
+        maxAge: 86400,
+      });
+    }
+    return response;
   } catch (err) {
     console.error("OIDC callback failed:", err instanceof Error ? err.message : err);
     cookieStore.delete("oidc_code_verifier");
diff --git a/components/frontend/src/app/api/auth/sso/e2e-login/route.ts b/components/frontend/src/app/api/auth/sso/e2e-login/route.ts
@@ -21,7 +21,6 @@ export async function POST(request: NextRequest) {
   const session = await getSession();
   session.accessToken = token;
   session.refreshToken = "";
-  session.idToken = "";
   session.expiresAt = Math.floor(Date.now() / 1000) + 86400;
   await session.save();
 
diff --git a/components/frontend/src/app/api/auth/sso/logout/route.ts b/components/frontend/src/app/api/auth/sso/logout/route.ts
@@ -1,11 +1,14 @@
 import { NextRequest, NextResponse } from "next/server";
+import { cookies } from "next/headers";
 import { getSession } from "@/lib/session";
 import { getEndSessionUrl } from "@/lib/oidc";
 
 export async function GET(request: NextRequest) {
+  const cookieStore = await cookies();
+  const idToken = cookieStore.get("oidc_id_token")?.value;
   const session = await getSession();
-  const idToken = session.idToken || undefined;
   session.destroy();
+  cookieStore.delete("oidc_id_token");
 
   const postLogoutRedirectUri = process.env.SSO_REDIRECT_URI
     ? new URL(process.env.SSO_REDIRECT_URI).origin
diff --git a/components/frontend/src/lib/session.ts b/components/frontend/src/lib/session.ts
@@ -4,7 +4,6 @@ import { cookies } from "next/headers";
 export interface SessionData {
   accessToken: string;
   refreshToken: string;
-  idToken: string;
   expiresAt: number;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,6 @@ import { cookies } from "next/headers";`
`4`	`4`	`export interface SessionData {`
`5`	`5`	`accessToken: string;`
`6`	`6`	`refreshToken: string;`
`7`		`- idToken: string;`
`8`	`7`	`expiresAt: number;`
`9`	`8`	`}`
`10`	`9`