Forum Discussion
Yoel_Horvitz
Microsoft
MicrosoftAzure AD B2C authorization code and refresh token size increase update
Update September 11, 2023: This post is irrelevant anymore
As part of ongoing security improvement efforts in Azure Active Directory (AAD), part of Microsoft Entra, Azure AD B2C will be rolling...
For the next poor soul to find this:
We found a way to increase the supported size in IIS in a fairly ancient StackOverflow post:
https://stackoverflow.com/questions/8159321/request-exceeds-the-configured-maxquerystringlength-when-using-authorize
Successful solution is:
In the root web.config for your project, under the system.web node:
<system.web>
<httpRuntime maxUrlLength="10999" maxQueryStringLength="2097151" />
...
In addition, I had to add this under the system.webServer node or I got a security error for my long query strings:
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxUrl="10999" maxQueryString="2097151" />
</requestFiltering>
</security>
...
It is critical that you update the values in BOTH web.config and system.web.
The suggestion to change response_mode to "form_post" couldn't be used for us because we are using a 3rd party module to handle the OIDC login, and it only support "query".
And not to be over the top... but I can't leave without encouraging the B2C engineering team to take some more steps next time there is a breaking change. Since we are paying for this service, I think the following is a reasonable expecation:
1. The standard Azure change notification email that goes out when updates are planned
2. The Azure B2C “What’s New” section in the Azure Portal
3. For a BREAKING change such as this…
a. Every B2C admin should have been specifically targeted with several emails before rollout
b. There should be a clear explanation of how to test your application BEFORE go live
c. There should be a complete list of mitigation steps, which was not the case. In our case IIS and Dotnet themselves – Microsoft products, as you know – are what broke. Not 3rd party solutions. Microsoft solutions.
Even now… AFTER rollout of this breaking change… the Azure B2C “What’s New” is not updated.
We found a way to increase the supported size in IIS in a fairly ancient StackOverflow post:
https://stackoverflow.com/questions/8159321/request-exceeds-the-configured-maxquerystringlength-when-using-authorize
Successful solution is:
In the root web.config for your project, under the system.web node:
<system.web>
<httpRuntime maxUrlLength="10999" maxQueryStringLength="2097151" />
...
In addition, I had to add this under the system.webServer node or I got a security error for my long query strings:
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxUrl="10999" maxQueryString="2097151" />
</requestFiltering>
</security>
...
It is critical that you update the values in BOTH web.config and system.web.
The suggestion to change response_mode to "form_post" couldn't be used for us because we are using a 3rd party module to handle the OIDC login, and it only support "query".
And not to be over the top... but I can't leave without encouraging the B2C engineering team to take some more steps next time there is a breaking change. Since we are paying for this service, I think the following is a reasonable expecation:
1. The standard Azure change notification email that goes out when updates are planned
2. The Azure B2C “What’s New” section in the Azure Portal
3. For a BREAKING change such as this…
a. Every B2C admin should have been specifically targeted with several emails before rollout
b. There should be a clear explanation of how to test your application BEFORE go live
c. There should be a complete list of mitigation steps, which was not the case. In our case IIS and Dotnet themselves – Microsoft products, as you know – are what broke. Not 3rd party solutions. Microsoft solutions.
Even now… AFTER rollout of this breaking change… the Azure B2C “What’s New” is not updated.
