Mar 17 2023 06:48 AM - edited Sep 11 2023 04:16 AM
Update September 11, 2023: This post is irrelevant anymore
As part of ongoing security improvement efforts in Azure Active Directory (AAD), part of Microsoft Entra, Azure AD B2C will be rolling out a format change that increases the size of OAuth 2.0 (and OpenID Connect) authorization code and refresh tokens returned to your application. If your application is configured to accept the OAuth2 authorization code as query string parameter or URL fragment, this change might impact users in the following scenarios:
The OAuth2 (and OpenID Connect) protocol specifies three response modes which specify how the authorization code is returned to your application. With the query and fragment mode the authorization code is returned as a query parameter or fragment of the URL. In the form_post mode, response parameters will be encoded as HTML form values that are transmitted via the HTTP POST method and encoded in the body. For information, check out the OAuth 2.0 authorization code flow in Azure Active Directory B2C article.
To mitigate URL lengths issues:
The change also impacts the size of the refresh token. MSAL library caches a token after it has been acquired. For web applications with in-memory cache, or a distributed token cache, make sure your cache system can handle the size of the refresh token, or reduce the size of the refresh token as described in the previous section.
Yoel
Apr 03 2023 08:35 AM
@yoelhThis change is causing errors within our OIDC Code Flow client application. The "location" header in for a random AD authorization code 302 redirect is 4729 bytes! The code parameter itself is 4643 bytes long! My understanding of authorization codes is that they should be small and opaque and be a reference user state held within the Identity Provider, not an encoding of the state itself.
Apr 04 2023 08:46 PM
@yoelh This change appears to broken all our Desktop applications that use MSAL .net (Microsoft.Identity.Client) to authenticate against our Azure B2C tenant. The .net exception our users are receiving is:
Exception: Microsoft.Identity.Client.MsalClientException
Message: The browser based authentication dialog failed to complete. Reason: The protocol is not known and no pluggable protocols have been entered that match.
Source: Microsoft.Identity.Client
Apr 19 2023 12:33 AM
@yoelh this seems to have been partly rolled out yesterday, it caused intermittent issues with our SPA (using PKCE) as the querystring length returned is longer than the max default in .Net core. Assume MS have load balanced between old (small) version and new (large) version.
As it was intermittent it was hard to track down this change as being the cause, we're struggling to find any release notes around this which would have allowed us to pre empt any issues.
Apr 19 2023 01:02 AM
This was raised as a critical incident yesterday (18/4) since people around the globe could not log in to business critical applications using Azure AD B2C. We noticed that the application error appeared when the code query parameter was too long.
At least we know the reason, now it's a matter of fixing it...
Apr 19 2023 01:28 AM
Apr 19 2023 01:51 AM
Completley broke mission critical applications yesterday and today @yoelh . I found this document while researching after I found out that the response codes are sometimes extrem long. Our awesome team managed to configure the servers (IIS) to mitigate the issue. This is very disturbing because this article seems to be the only mention of this change. I´m quite sure that many more people around the globe are riddled why their apps are "broken" until they find this article.
Apr 19 2023 11:47 AM
Apr 19 2023 03:33 PM
For all those who encounter this issue on Azure web apps, we had to modify the web.config to override the request limits:
<requestFiltering>
<requestLimits maxUrl="10999" maxQueryString="2097151" />
</requestFiltering>
For those who run a nodejs server under IIS, you will also need to increase the size of the http headers in the iisnode module:
<iisnode nodeProcessCommandLine="node.exe --max-http-header-size 81000"/>
Apr 19 2023 03:51 PM
@hebboss Thanks for the details.
We run Angular Apps through Azure App Services using Node.js. We seem to be suffering the same issue where the length of the query parameters exceeds some sort of limit.
Any idea where we can bump this limit up with Node in App Services?
Thanks
Apr 19 2023 06:17 PM - edited Apr 19 2023 06:40 PM
I am trying to understand in what world it makes sense to have auth codes that are a couple thousand characters in length. Why is Azure B2C using an encrypted JWT instead of an opaque reference token like every other OIDC Provider out there? You guys have selected a size of token that makes it impossible for your authorization code responses to be ingested using the default settings for your own products such as IIS. Our organization's WAF has a hard limit on the maximum URL size. We are in the process scrambling to implement a fix meanwhile our customers who use Azure B2C as their OP are unable to authenticate into our products while customers who use Ping, Okta, and others are just fine. We haven't had to keep track of the OP in use by our customers, because it really shouldn't matter as the OP is either in spec or they are not, and configuration of SSO is self service. You guys have created a mess for SAAS vendors out there because of a very poor design decision that lead to more poor decisions that OPs shouldn't have to worry about.
Apr 19 2023 09:17 PM - edited Apr 19 2023 09:18 PM
@yoelh Thanks for the post. However I believe this should have been communicated in a better-way. Perhaps next time give enterprises a larger notice period to properly analyse the impacts and develop a fix. Please look into sending an email to your clients detailing the changes with the timelines , thereby sparing them the anxiety .
Apr 19 2023 10:35 PM
Apr 20 2023 12:09 AM
Apr 20 2023 02:16 AM
Apr 20 2023 02:50 AM
Apr 20 2023 05:29 AM
Apr 20 2023 06:52 AM
@mless340 we opened a support ticket, got confirmation that MS is rolling back customers - we're now waiting on a confirmation so our users can log in again
Apr 20 2023 08:19 AM
If you are running Nginx as reverse proxy, this is the fix:
proxy_buffer_size 16k;
proxy_buffers 4 16k;
Apr 20 2023 08:47 AM
@Florian Wachs If I might ask, what IIS server configuration mitigated this issue for you?