0

I have an MVC app which uses the Microsoft.AspNetCore.Authentication.OpenIdConnect middleware against IdS4 (core 1.1). The MVC calls a backend web API with the access token obtained after authentication. I'm using the "code id_token" response. I have segmented the API using scopes, but I have quite a few of them, i.e. 15. When I build the OIDCoptions I add in the scopes which the client requires:

oidOptions.Scope.Add("usersRead");           // Api scope
oidOptions.Scope.Add("usersWrite");          // Api scope

This has worked absolutely fine. However, I added a further two scopes and now IdS reports the following when the MVC does an OIDC challenge against IdS, i.e. before the user gets presented with login form

bad request

I can remove any two scopes from the list in my MVC app and it starts working again. This makes me think there is some limit on the number of scopes which can be requested, or some issue with URL length? I had a look the source code for OIDC middleware and IdS and I cannot find anything which would limit the number of API scopes a client may request.

Any ideas?

Improve this question
2
  • Perhaps, log may have additional information. Did you checked the logs? Commented Nov 29, 2017 at 5:16
  • try removing two scopes from request then make name of third one too long to know if the issue is "issue with URL length" Commented Nov 30, 2017 at 5:53

1 Answer 1

Reset to default
0

Thanks for the comments. After setting up log streaming in the Azure Web App the problem was immediately highlighted. Indeed, there is a string length limit on the artifacts which make up the token request, specifically for the scopes string 300 characters. We have shortened the scope names and now everything is working fine.

For reference, please see: https://github.com/IdentityServer/IdentityServer4/blob/aspnetcore1/src/IdentityServer4/Configuration/DependencyInjection/Options/InputLengthRestrictions.cs

Note, this is for dot net core v1.1 - similar restrictions for v2.0.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.