docker login failed with "HTTP 400 Bad Request - Request Header Or Cookie Too Large " error when using VM managed identity authentication

[boliu83]

Describe the bug
Docker CLI login using Azure VM managed identity failed with HTTP 400 Bad Request - Request Header Or Cookie Too Large error when the AAD access token exceeds certain size (6089 characters in my test).

AAD access token obtained from IMDS auth endpoint normally is much smaller than 6089 characters, however in some cases e.g. identity is member of large number of security groups, then token size can grow beyond 6089 charaters due to the list of groups membership is also included in the access token.

This issue has already been reported to ACR PG. Creating issue here as requested by the end customer so he can track the status of the fix.

To Reproduce
Steps to reproduce the behavior:

1. Generate token/password with 6090 characters or more. for testing purpose this does not have to be an actual AAD access token.
   TOKEN=strings /dev/urandom | tr -dc A-Za-z0-9 | head -c6090

2. Run docker login using the token
   docker -D login -u 00000000-0000-0000-0000-000000000000 -p $TOKEN fqdn.azurecr.io

3. Expect the login to fail due to 400 Request Header Or Cookie Too Large error

Expected behavior
Docker login should succeed when using AAD token regardless of the size of group list in the token.

Screenshots

Any relevant environment information

• OS: [e.g. Ubuntu, Windows]
• Azure CLI/PowerShell/SDK version
• Docker version
• Datetime (UTC) when the issue occurred
• Registry and image names

Additional context
Add any other context about the problem here.

If any information is a concern to post here, you can create a support ticket or send an email to [email protected].