Problem

Some potential providers (e.g. Azure AD) use very large tokens. Once you apply encryption to them, they exceed 4096 bytes, which causes the browser to reject them. This PR gives a little more breathing room for larger tokens.

Solution

This gzips the marshalled json before encrypting it. I couldn't think of an obvious scenario where introducing compression would leak information (via cookie length) that would compromise security since the contents of the cookie are already largely known to the client, and this doesn't aid in forging an attacker controlled cookie.

Notes

I was getting cookies in the ballpark of 4400 bytes before this PR, and they're running around 2900 bytes with the same payload now. Chrome (and presumably most other browsers) enforces a limit of 4096 bytes. May be worth also triggering a server side error if we exceed that, since it took me 3 days of debugging to figure out that was happening.