User Profile
yoelh
MicrosoftJoined 4 years ago
User Widgets
Recent Discussions
Azure AD B2C authorization code and refresh token size increase update
Update September 11, 2023: This post is irrelevant anymore As part of ongoing security improvement efforts in Azure Active Directory (AAD), part of Microsoft Entra, Azure AD B2C will be rolling out a format change that increases the size of OAuth 2.0 (and OpenID Connect) authorization code and refresh tokens returned to your application. If your application is configured to accept the OAuth2 authorization code as query string parameter or URL fragment, this change might impact users in the following scenarios: Users with old web browsers such as internet explorer may exceed the URL length limit. If your application runs on web servers, behind firewalls or reverse proxies with low URL length limits or configuration. The OAuth2 (and OpenID Connect) protocol specifies three response modes which specify how the authorization code is returned to your application. With the query and fragment mode the authorization code is returned as a query parameter or fragment of the URL. In the form_post mode, response parameters will be encoded as HTML form values that are transmitted via the HTTP POST method and encoded in the body. For information, check out the OAuth 2.0 authorization code flow in Azure Active Directory B2Carticle. To mitigate URL lengths issues: For web applications, we recommend using OAuth2 response_mode set to form_post, to ensure the most secure transfer of tokens to your application. For single page application with authorization code flow and PKCE, reduce the number of claims omitted to your application. In the user flows, and custom policies remove claims that are unnecessary for your app. You can use the user info endpoint to return claims about the authenticated user. This will minimize the size of the authorization code and the refresh token. This change should not affect device-installed apps, such as mobile and desktop apps. The change also impacts the size of the refresh token. MSAL library caches a token after it has been acquired. For web applications with in-memory cache, or a distributed token cache, make sure your cache system can handle the size of the refresh token, or reduce the size of the refresh token as described in the previous section. Yoel28KViews1like36CommentsRe: Azure B2C integration with SPID
Dearfabriziodinapoli, The saml:AuthnContextClassRef can be included in the authentication request Azure AD B2C sends to the SPID identity provider. For more information, please see: Configure SAML identity provider options with Azure Active Directory B2C Yoel2.7KViews0likes0Comments
Groups
Recent Blog Articles
No content to show