Unable to login opendistro kibana while authenticating with keycloak. Keycloak token cookie exceeds storage limit

I have configured opendistro with keycloak. As per requirement i have a user which is assigned with multiple roles in keycloak (50roles). So, when i’m trying to access kibana with this user, i’m getting multiple redirections. And at inspector console it is showing cookie size exceeds to its limit.
Then from keycloak token cookie i have removed refresh token and used only id token. Able to login after that , but without refresh token window is reloading simultaneously.

kibana_cookie_issue_11908×216 49.7 KB

“Set-Cookie header is ignored in response from url: http://xxxxxx/testkibana/auth/openid/login?state=OQtR.-b17d-4437-ae63-833371a11556. The combined size of the name and value must be less than or equal to 4096 characters.”

Can anyone help me out so that i can access kibana with user having multiple roles without disabling refresh token from cookie.

@bhavuk_7

Could you try to lower the number of assigned roles? Roles are passed with the token cookie during authentication.

thanks for the quick reply @pablo.

i have tried by reducing the roles and able to login but as mentioned earlier in issue, assigning those roles to the user is my requirement so can’t reduce them.
Because on opendistro official documentation i haven’t seen any point defining maximum number of roles limit that can be assigned per user while using openid auth with opendistro.

If there is any other solution for reducing the cookie size while keeping those roles, will be a great help.

@bhavuk_7

This issue is not related to the number of roles but the size of the cookie which is 4096 bytes. This has been already reported to the dev team.
https://github.com/opensearch-project/security/issues/375

As per the reported bug, the only workaround is to limit the number of roles.