Forum Discussion
MicrosoftAzure AD B2C authorization code and refresh token size increase update
Update September 11, 2023: This post is irrelevant anymore
As part of ongoing security improvement efforts in Azure Active Directory (AAD), part of Microsoft Entra, Azure AD B2C will be rolling out a format change that increases the size of OAuth 2.0 (and OpenID Connect) authorization code and refresh tokens returned to your application. If your application is configured to accept the OAuth2 authorization code as query string parameter or URL fragment, this change might impact users in the following scenarios:
Users with old web browsers such as internet explorer may exceed the URL length limit.If your application runs on web servers, behind firewalls or reverse proxies with low URL length limits or configuration.
The OAuth2 (and OpenID Connect) protocol specifies three response modes which specify how the authorization code is returned to your application. With the query and fragment mode the authorization code is returned as a query parameter or fragment of the URL. In the form_post mode, response parameters will be encoded as HTML form values that are transmitted via the HTTP POST method and encoded in the body. For information, check out the OAuth 2.0 authorization code flow in Azure Active Directory B2C article.
To mitigate URL lengths issues:
For web applications, we recommend using OAuth2 response_mode set to form_post, to ensure the most secure transfer of tokens to your application.For single page application with authorization code flow and PKCE, reduce the number of claims omitted to your application. In the user flows, and custom policies remove claims that are unnecessary for your app. You can use the user info endpoint to return claims about the authenticated user. This will minimize the size of the authorization code and the refresh token.This change should not affect device-installed apps, such as mobile and desktop apps.
The change also impacts the size of the refresh token. MSAL library caches a token after it has been acquired. For web applications with in-memory cache, or a distributed token cache, make sure your cache system can handle the size of the refresh token, or reduce the size of the refresh token as described in the previous section.
Yoel
36 Replies
Yoel_Horvitz This change appears to broken all our Desktop applications that use MSAL .net (Microsoft.Identity.Client) to authenticate against our Azure B2C tenant. The .net exception our users are receiving is:
Exception: Microsoft.Identity.Client.MsalClientException
Message: The browser based authentication dialog failed to complete. Reason: The protocol is not known and no pluggable protocols have been entered that match.
Source: Microsoft.Identity.Clienteschillercourtalert Are you able to resolve this issue? Any update from Microsoft? We are facing the same issue with our Windows application. Thank you
User20230420 there were two things we did to address this issue:
1) Opened a ticket with Microsoft, eventually they temporarily rolled back this change to my tenant. No word when the change will be permanently made
2) Update the version of Microsoft.Identity.Client nuget package on the desktop application. This addressed the issue until Microsoft rolled back the change
Yoel_HorvitzThis change is causing errors within our OIDC Code Flow client application. The "location" header in for a random AD authorization code 302 redirect is 4729 bytes! The code parameter itself is 4643 bytes long! My understanding of authorization codes is that they should be small and opaque and be a reference user state held within the Identity Provider, not an encoding of the state itself.
