Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Large state parameter causes Authorize EP output 404 #1415

Open
sudipster opened this issue Sep 20, 2024 · 1 comment
Open

Large state parameter causes Authorize EP output 404 #1415

sudipster opened this issue Sep 20, 2024 · 1 comment
Labels
IdentityServer

Comments

@sudipster
Copy link

sudipster commented Sep 20, 2024
edited
Loading

Which version of Duende IdentityServer are you using?
6.2.3
Which version of .NET are you using?
6
Describe the bug

We are federating IDS with an external IDP in AWS via OIDC. In an edge case, it seems if I trigger SSO for a user, that IDP is generating a very large state parameter and it causes IDS to throw 404 error at Authorize EP. If I keep shortening the State parameter, Authorize EP eventually works. It does not look like the chrome url length limit was reached, the total length of the url including the large state parameter (2,372 chars in length) is 2,437 chars. Not an extremely crucial scenario. But would be good to know why this is happening. Thanks.

image

To Reproduce

-Use the Authorize EP below and substitue your ids-host, clientId, redirect_uri, etc. or just grab the state param from the url below and replace the state param generated by your client. It should produce 404 error code.

https:///connect/authorize
?client_id=
&scope=openid%20profile
&response_type=code
&redirect_uri=
&state=eyJkZXN0aW5hdGlvbiI6IiMvZGlzcGxheS8xMjMiLCJzc29OYW1lIjoidG1uYXNleHByZXNzIiwiaXNQcmV2aWV3Ijp0cnVlLCJkb21haW4iOiJleHByZXNzIiwiY29udGV4dCI6eyJ1bnFvcmtBdXRoVG9rZW4iOiJleUpoYkdjaU9pSlNVekkxTmlJc0luUjVjQ0k2SWtwWFZDSjkuZXlKMWMyVnlJanA3SWw5cFpDSTZJakprWTJNNE1tRmtMVFJpTlRZdE5HWmpaUzA0WVdaakxXSm1OelF3TkdVM1pESmtaU0lzSW1GMWRHaE5aWFJvYjJRaU9pSnZhV1JqSWl3aVlYVjBhRTFsZEdodlpFUmxkR0ZwYkhNaU9uc2liM0FpT2lKMGJXNWhjMlY0Y0hKbGMzTWlmU3dpYVhBaU9pSTNOUzR5TVRrdU16UXVNVFlpTENKcGMwUmxjMmxuYm1WeVZYTmxjaUk2Wm1Gc2MyVXNJbk5sYzNOcGIyNUpaQ0k2SW1SaU1qRmhOREJrTFdJellqa3RORE5rTnkxaE5XVTBMV1ZqWWpVM1pqSmpPRE0xWkNJc0luSmxabkpsYzJoRmVIQWlPakUzTWpZNU1qZzJPVGMyTlRNc0lsOWpjM0ptSWpvaWJIRXlNUzB6TkhZNVoxWjRRbFJWYVVjdE56QlZXV0pGSWl3aVpYaHdJam94TnpJMk9EVTJOekF3ZlN3aVpYaHdJam94TnpJMk9EVTJOekF3TENKcFlYUWlPakUzTWpZNE5ESXpNREI5LnFPLVJRX3Fnemh3Vml3dXBOTWlRUEZ0LUtEUE1pRDlpM3VfS1JrcVV0bXUwUXlBdHY0WHphYkhCV3V5Z0hrYUM1Z24zVnVBd3BOX3pKV092MEN2dUZobEZJSlJ1dWYtZ3JQOUNFVFJ2dVZLandIZ1N2UmRLbEtwOEFlMG5EUExJZS1JMmZybUhQR0F6NEx0Z0R4dmd3SUZJajZ6TEZodGVtWFJiVU1hV2pBaWppZFJSb0lZZ1hDX283ZDVpRXFKY09mZWNSYTVSOEVvYmVZUzZqdWhZRE03WGpSUTJ2NzVyc1F1R2hXZ2txLUZibWlGbWZrV0RxRVhoYTl6ZkFhbmw2UGlNWGItNkRMTXdKaGlJSVpCWXNkUjNOYnNnVk5zc0ZrR3htUkxBdnRkX2dCMW1QS0xkVm5tX0x1aEx6ZUhDQjFfaTRLSlNrRGVjelJjdlM3TlNTZyIsInVzZXJEYXRhIjp7InVzZXIiOnsiX2lkIjoiMmRjYzgyYWQtNGI1Ni00ZmNlLThhZmMtYmY3NDA0ZTdkMmRlIiwiYXV0aE1ldGhvZCI6Im9pZGMiLCJhdXRoTWV0aG9kRGV0YWlscyI6eyJvcCI6InRtbmFzZXhwcmVzcyJ9LCJpcCI6Ijc1LjIxOS4zNC4xNiIsImlzRGVzaWduZXJVc2VyIjpmYWxzZSwic2Vzc2lvbklkIjoiZGIyMWE0MGQtYjNiOS00M2Q3LWE1ZTQtZWNiNTdmMmM4MzVkIiwicmVmcmVzaEV4cCI6MTcyNjkyODY5NzY1MywiX2NzcmYiOiJscTIxLTM0djlnVnhCVFVpRy03MFVZYkUiLCJleHAiOjE3MjY4NTY3MDB9fSwidXNlckF0dHJpYnV0ZXMiOnsiYXV0aFVzZXIiOnsiX2lkIjoiMmRjYzgyYWQtNGI1Ni00ZmNlLThhZmMtYmY3NDA0ZTdkMmRlIiwiYXV0aE1ldGhvZCI6Im9pZGMiLCJhdXRoTWV0aG9kRGV0YWlscyI6eyJvcCI6InRtbmFzZXhwcmVzcyJ9LCJpcCI6Ijc1LjIxOS4zNC4xNiIsImlzRGVzaWduZXJVc2VyIjpmYWxzZSwic2Vzc2lvbklkIjoiZGIyMWE0MGQtYjNiOS00M2Q3LWE1ZTQtZWNiNTdmMmM4MzVkIiwicmVmcmVzaEV4cCI6MTcyNjkyODY5NzY1MywiX2NzcmYiOiJscTIxLTM0djlnVnhCVFVpRy03MFVZYkUiLCJleHAiOjE3MjY4NTY3MDB9fX19

Expected behavior

Authorize EP should function as normal.

Log output/exception with stacktrace

NA

Additional context

NA
@StuFrankish
Copy link

The state value you've posted is quite large, containing a significant amount of duplicated data, which is likely contributing to the issue. Browser limitations on URL length vary, but if you haven't already run into these, it's very likely to happen soon.

In particular:

  • The userData and userAttributes properties contain identical information.
  • The JWT in the unqorkAuthToken property appears to duplicate much of the same data as both userData and userAttributes.

Is this duplication a deliberate decision based on specific requirements? If not, a more efficient approach would be to store this state server-side and use a reference value, such as a GUID, in the state parameter. This will significantly reduce the size of the URL and help avoid browser and server limitations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
IdentityServer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sudipster @StuFrankish