[BUG] securecookie: the value is too long

[Blarc]

Flyte & Flytekit version

flyte-binary:v1.15.3 (I've also tried v1.16.0-b3)

Describe the bug

I am using Helm chart for deploying flyte-binary:v1.15.3 (I've also tried v1.16.0-b3). After adding GitLab as external OIDC provider, I get the following error:

{"json":{"src":"handlers.go:91"},"level":"error","msg":"Failed to retrieve tokens from request, redirecting to login handler. Error: [EMPTY_OAUTH_TOKEN] Failure to retrieve cookie [flyte_idt], caused by: http: named cookie not present","ts":"2025-09-04T05:59:54Z"}
{"json":{"src":"handlers.go:91"},"level":"error","msg":"Failed to retrieve tokens from request, redirecting to login handler. Error: [EMPTY_OAUTH_TOKEN] Failure to retrieve cookie [flyte_idt], caused by: http: named cookie not present","ts":"2025-09-04T05:59:57Z"}
{"json":{"src":"cookie_manager.go:192"},"level":"error","msg":"Error generating encrypted id token cookie [SECURE_COOKIE_ERROR] Error creating secure cookie, caused by: securecookie: the value is too long","ts":"2025-09-04T05:59:57Z"}
{"json":{"src":"handlers.go:208"},"level":"error","msg":"Error setting encrypted JWT cookie [SECURE_COOKIE_ERROR] Error creating secure cookie, caused by: securecookie: the value is too long","ts":"2025-09-04T05:59:57Z"}

I thought this was fixed in #3750 ?

Expected behavior

Be able to sign in with GitLab.

Additional context to reproduce

Helm chart's auth configuration:

    auth:
      enabled: true
      oidc:
        baseUrl: https://gitlab.medius.si
        clientId: x
        clientSecret: x
      internal:
        clientSecret: x
        clientSecretHash: x
      authorizedUris:
        - x
      flyteClient:
        scopes:
          - profile
          - openid
          - email
          - read_user

Screenshots

No response

Are you sure this issue hasn't been raised already?

• Yes

Have you read the Code of Conduct?

• Yes

[welcome]

Thank you for opening your first issue here! 🛠

[runllm]

This issue was fixed in Flyte v1.12.0-b0 and later by splitting large access tokens into two cookies to avoid the "securecookie: the value is too long" error. However, this fix only applies to the access token, not the id token (flyte_idt). If your GitLab OIDC provider returns a very large id token, the error can still occur because the id token is not split and must fit within the browser's cookie size limit. See the merged PR and changelog for details: Split access token into half and store to avoid "securecookie: the value is too long" error, Changelog v1.12.0-b0.

To resolve this, you must reduce the size of the id token returned by your OIDC provider (e.g., by removing unnecessary claims or groups from the token). There is currently no upstream fix for splitting the id token cookie in Flyte, so the limitation remains for large id tokens. For more context, see the original issue and discussion: GitHub Issue #3750.

Would you like more detail on how to reduce the id token size or further technical background?

Sources:

• Split access token into half and store to avoid "securecookie: the value is too long" error
• Changelog v1.12.0-b0
• GitHub Issue #3750

---

This is an AI-generated response and your feedback is appreciated! Please leave a 👍 if this is helpful and 👎 if it is not.

Mention @RunLLM to ask follow-up questions. See runllm.com for more!