fix: reduce JWT cookie size by removing teams/namespaces from session tokens#2765
Merged
crivetimihai merged 7 commits intomainfrom Feb 8, 2026
Merged
fix: reduce JWT cookie size by removing teams/namespaces from session tokens#2765crivetimihai merged 7 commits intomainfrom
crivetimihai merged 7 commits intomainfrom
Conversation
… tokens Session tokens (login/SSO) no longer embed teams or namespaces claims, resolving the 4KB cookie size limit for users with many team memberships. - Phase 1: Remove dead `namespaces` claim from all token creation paths - Phase 2: Introduce `token_use` claim (session vs api) with server-side team resolution via DB/cache for session tokens - Phase 3: Add cookie size validation (warn 3800B, error 4096B) with CookieTooLargeError exception - Phase 4: Improve error UX for cookie auth failures in login and SSO Closes #2757 Signed-off-by: Mihai Criveti <crmihai1@gmail.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
…HTTP - Remove unused get_teams() call and team_ids construction in create_access_token (dead code after teams removal from session tokens) - Add _resolve_teams_from_db_sync() with L1 in-memory cache support for StreamableHTTP transport (was hitting DB on every request) Signed-off-by: Mihai Criveti <crmihai1@gmail.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
kcostell06
pushed a commit
to kcostell06/mcp-context-forge
that referenced
this pull request
Feb 24, 2026
… tokens (IBM#2765) * fix: reduce JWT cookie size by removing teams/namespaces from session tokens Session tokens (login/SSO) no longer embed teams or namespaces claims, resolving the 4KB cookie size limit for users with many team memberships. - Phase 1: Remove dead `namespaces` claim from all token creation paths - Phase 2: Introduce `token_use` claim (session vs api) with server-side team resolution via DB/cache for session tokens - Phase 3: Add cookie size validation (warn 3800B, error 4096B) with CookieTooLargeError exception - Phase 4: Improve error UX for cookie auth failures in login and SSO Closes IBM#2757 Signed-off-by: Mihai Criveti <crmihai1@gmail.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: remove dead code in email_auth and add sync cache for StreamableHTTP - Remove unused get_teams() call and team_ids construction in create_access_token (dead code after teams removal from session tokens) - Add _resolve_teams_from_db_sync() with L1 in-memory cache support for StreamableHTTP transport (was hitting DB on every request) Signed-off-by: Mihai Criveti <crmihai1@gmail.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * lint fixes Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
teamsornamespacesclaims, resolving the 4KB cookie size limit (RFC 6265 §6.1) for users with many team membershipstoken_useclaim (sessionvsapi) — session tokens resolve teams server-side via DB + L1/L2 cache, API tokens continue embedding teamsCookieTooLargeError(warn at 3800B, hard error at 4096B)Key changes across 21 files:
auth.py:_resolve_teams_from_db()(async) and_resolve_teams_from_db_sync()(sync with L1 cache) for server-side team resolution on session tokenssecurity_cookies.py: Cookie size validation,CookieTooLargeErrorexceptionemail_auth.py/sso.py: Removed dead code, session tokens no longer embed teamstoken_scoping.py/rbac.py: Handletoken_use: "session"by resolving teams from DB instead of JWTstreamablehttp_transport.py: Uses_resolve_teams_from_db_sync()with L1 cache (previously hit DB directly on every request)admin.py: Cookie error handling in login/SSO redirectscreate_jwt_token.py: RemovednamespacesparameterResults (verified on deployed environment with 109 teams):
Closes #2757
Test plan
token_use: "session"present in session tokens, no teams/namespaces embedded