-
-
Notifications
You must be signed in to change notification settings - Fork 481
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Microsoft Entra: ResponseMode "query" is not working good #2066
Comments
It's definitely not normal: you're not expected to get back an identity token in the authorization response when using
The OpenIddict client fully supports both openiddict-core/src/OpenIddict.Client/OpenIddictClientHandlers.cs Lines 4434 to 4626 in 8f9fdb0
You can override the response modes/types OpenIddict is allowed to negotiate by adding at least one value to options.UseWebProviders()
.AddMicrosoft(options =>
{
options.SetClientId("cce8c58c-df3e-4bde-96e5-1a1954e35cca")
.SetClientSecret("2ko8Q~mPuwRhhNoe6VmO3vlYkWtcBU~gxQHfEbCB")
.SetRedirectUri("callback/login/microsoft")
.AddScopes(Scopes.OfflineAccess);
options.Registration.ResponseModes.Add(ResponseModes.FormPost);
options.Registration.ResponseTypes.Add(ResponseTypes.Code + ' ' + ResponseTypes.IdToken);
}); Of course, for the reasons I mentioned earlier, I don't encourage you to do that. Note: this won't work before a new version including #2067 is released, as the current version doesn't list "implicit" as a supported grant type for the Microsoft provider.
Please share a Fiddler trace (you can send it privately by emailing me if you prefer). |
Hi Kevin, many thanks for the quick reply.
I'm sorry I did not make myself clear. The idtoken is not returned back with returnUrl but code instead. This param get very "long" in the repro case I described in the issue. Sure I will try record and send some Fiddler trace, atm I have got just few screenshot of IIS error (404.15)
I totally agree with you. We would going to manage this "issue" by extending the defautl IIS Request limit, as far I know it was due to old Internet Explorer
Thanks for the suggestion. I am still moving the first steps with OpenIddict and loving it. Thanks for your effort.
Looking forward to this! Thanks!
I will do asap. Thanks. |
I sent a Fiddler trace privately. Thank you. |
Hi @alexstooky, Thanks for the Fiddler trace: it indeed confirms Entra ID returns a fairly long @jennyf19 hey Jenny, hope you're doing well! Do you happen to know whether getting back a quite long Entra ID authorization code after an Entra ID+external provider authorization dance is expected? 😃 |
@alexstooky I decided to introduce new (advanced) APIs to support configuring explicit code challenge methods/grant types/response modes/response types without having to directly set them on the registration in OpenIddict 5.6.0. E.g to configure explicit response modes/types: options.UseWebProviders()
.AddMicrosoft(options =>
{
options.SetClientId("cce8c58c-df3e-4bde-96e5-1a1954e35cca")
.SetClientSecret("2ko8Q~mPuwRhhNoe6VmO3vlYkWtcBU~gxQHfEbCB")
.SetRedirectUri("callback/login/microsoft")
.AddScopes(Scopes.OfflineAccess)
.AddResponseModes(ResponseModes.FormPost)
.AddResponseTypes(ResponseTypes.Code + ' ' + ResponseTypes.IdToken);
}); See #2075. |
@kevinchalet: maybe a lot of scopes are requested? |
@jmprieur AFAICT by looking at the Fiddler trace @alexstooky sent me, only @alexstooky do you allow me to share the trace you sent me with @jmprieur (who's a Microsoft employee)? |
Yes sure, thank you! |
@jmprieur let me know if you'd be interested in investigating and I'll send you the trace file by email 😃 |
@alexstooky it looks like there isn't much interest from the Identity division to investigate this issue. I suggest you open an official support ticket via Azure to force them to take a look at it: having to use Closing as there's nothing I can do from my side. |
Thank you anyway @kevinchalet. We will think about the best way to "fix" this, to me is ok/better to extend the default IIS |
Personal contribution
Version
5.5.0
Provider name
Microsoft
Describe the bug
In some cases with very long idtoken(s) the ResponseType "code" creates too long returnUrl which is blocked by Url Request Filtering (IIS Server - https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/requestlimits/#attributes) default of 2048 bytes.
The Microsoft doc referenced by the WebProvider (https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc) suggests to use "form_post" as ResponseMode and "idtoken" as per ResponseType but the WebProvider currently implemented uses "query" as ResponseMode and "code" as ResponseType
I would love to contribute to fix this or (better to me) expose an extension method on order to override the defautl Response Mode and Response Type.
To reproduce
Configure WebProvider Microsoft and add to Entra some guests users with external providers eg. Google. The issue is not present when logging in with the common Entra login flow
Exceptions (if any)
No response
The text was updated successfully, but these errors were encountered: