AddMicrosoftAccount callback to /signin-microsoft request query too large

[norr-carr]

We are using Duende Identity Server (7.4.4) with both local and external providers. We have enabled Microsoft Single Sign On using

.AddMicrosoftAccount(MicrosoftExternalAuthenticationOptions.AuthenticationScheme, options =>
{
    options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
    options.ClientId = serverOptions.MicrosoftExternalAuthentication.ClientId;
    options.ClientSecret = serverOptions.MicrosoftExternalAuthentication.ClientSecret;
    options.Events.OnAccessDenied = OnAccessDenied;
})

This has worked in production in the past.

Recently we began getting the 404 status code on the request back to Identity Server at /signin-microsoft. We determined this was due to the large request size and increased the request limits, which temporarily solved the problem. I'm not aware of any changes made to the EntraID settings that would have caused the change, but we did recently update Identity Server. I'm now searching for any way to determine how we can minimize the size of the request and return our request limits back to their defaults.

I tried the recommended approach in https://docs.duendesoftware.com/identityserver/ui/login/external/#state-url-length-and-isecuredataformat of adding services.AddOidcStateDataFormatterCache(); which did reduce the request size in other callbacks, but did not appear to change this request size.

I read https://github.com/orgs/DuendeSoftware/discussions/219 which appears to suggest the same fixes that I've already tried and https://github.com/orgs/DuendeSoftware/discussions/23 which talks about the size of Cookies returned when authenticating to Microsoft using OpenIdConnect set up manually.

Is there any way to reduce the request size from Microsoft? Is there any way to see what information is included in the code and session state query parameters that are so large?

Example request:

https://localhost:5001/signin-microsoft?code=1.AVsAV6tFcJCSY0ajFBHBeu3DqfykeXDq7gNGkbewi6Pq3RcAAABbAA.BQABBAIAAAADAOz_BQD0_0V2b1N0c0FydGlmYWN0cwIAAAAAAEQTo-G4h3yXgIxoQyELQz-chfRPghUysbuWxoFzmsF8VQQifU6AZNeT9bQG4di35mVQvZ54_DgNNHALcjrMMVnPB1ZCDRschOQgpMxzrBFtJ2T7gCXdpM_CH2PDwe3GDFP6fGJapfkzbmqVDMnIspOwHOrV9YrlIgs5yz2Bnn80yDTUSH3rvGJofUBFcFA_I10f_wy-JfoB2lOZGn2K0ISCzohQaX5YxbODhuG87bcfCpF4nB_jGAYu-v9IG3FwxvKCRjpA7RtdctuIEQ2WL0QJ1Cdz8MifJdkXX6b8TGj9KdoqTIo2-pzOKOx2Ob3X6IBEb8EkOUeDEuYrP9fSxd3Zi7o1ZRCmUd7AhRsJ_kcouyPSHkqgp_3k-qW1PSYc7Ft56kZdN1cn1R5nHqah7kkmnMet90TKpqv8R4NjihSW_SkBrUmWJw7vRQKzrTzPzVip86hgEz5J2Cj_htS-bZJUEOelz-Sof4qp1P7i6YLbI9yUhErHkxCQr5KzkmJo6U-BsqzgwEO0NkldvmkFnfd0nGgqEDIGGAs5GmbPll7h5r77kp_DI03QCJbcc5d61Gr0tYDxnYIidYy3A_4OhciBhYTlC9oW9hOn8OzaD0XQ0PK5Sbu7Cu3Ed5uqij5B8yRUAfV5B2HAF-M36CZFa-rznuM6WLQZ1XlmxXmW5V2q_ojFwS9XkYtKf4OZ_BvD14zEVl4Y21cPnjdnzQXFdE9ObiHoilD_0b2MXhVKY1uTwu5c3i1thpIYEdQJXlCSypeCq8pfY9rBRyT0ZVfEGuAG8rqzvTU7WKFWM6nncA_SPWiRTYw-dMKyZWKMQxSOR8a0lOkEAc8lYzQ5XEz6Jv4-WLW5KGkZ9QnhIDycg5-j6YXJAEnRDIz-SMvr1k5IF0lUcIdzvv41dBlRY-ozlkjyZ1Bd10J7pJPs7SALGtKmp2ILzdGCnzC5tBsOvFUEzTXl9knANWeBsYo-DGWTZSCyzEypDHmEk7bar3vqKYocWqlzfOrfQ-fkgt9wospox-UI6fY-s4usjLhjXJ-zyISfdjzllJPEGMHGjUI-eSGJ-313ENrujPixp92NZnpfZMPA-NEh5hUAAXQuURSPW1cpD8RWwLCzxcr-_h0G3dtZWa1ZJUGiifpeSMC3ft_Bc9HpKbFqWtulJpvCdhi1XtDCduICWXhQlicxlIHXrnRdbJOaTjyAKnE2UW3-OHsenD9cJvz1ogUyQWUgUcY7aTkZcVaJW_LSVtbmtg-NB_y_6KEoCko5UB6GEwCsYLfQgT_B4nvgy3xucbTpMvicv_T5Z3IzhxsiB4_-yD0JeR2GigHLkRO_bX3qdYq-dAaHVP7GxGnPTCSj3gVAicJksCypqVPJpbebMklk4o5q3ndCuXVnrb54&state=CfDJ8NlqYTINa5xJpDOf0I8FA0nyE9lbp5PcQYPwUsp4IpaMsxjE2oQ5TW7VI9XXNF15C-OVGGnhofsvuggCWnmOo6_Lb8r41sNMstjeJqB30SwlD5LVW2u6MS7VNS47Iy7U25ovgaWWh7Ro-FPfR-Utbvs3C2LS6typcRRRZbFyKceNfQIuuCU8qCjuVmGuyXRWz5D9U-pPlU093hXEqvNZxR3LKIj6sQSewYQNFTP7NTU4nhqr5FHR2O_ZtcrYPSk11ZKuGiBueISUvToCNx0S1AXZons5wXwfeqYL9CiAwa5iuU_rOnhWpx72yfySmmP8fxC-2bxWpO8-hgBZKB21ACF9hgCQHFWxEHAFL_wGkuO43ro5PILlthYHfXHapdwm-al3PYapiJltj-CPoS4AIaFSgRszj0yNPkWgEKoZxQUpcfLKkBODb509yJKz_GAPcV9caPBMM8iTv0xY9d1-UmD3IXPhxV85JrUhlCUIeOVR64UaGJcjQjueyTeMZvnz1aVxl2rgTim8fLv1LahoGqwM_PycBkYam0hVhdpva7U3uUBmmUczy5s8exqmUngy44Vmj1p2XaMZR1oSu6pf6s0-Mpw81o2XUFIKC9JJZsDYZaQI08EDZ35yZR3QexL8yKNnaJXPZV_eQdtRnzKu9i9w4agjHEEc9j6Hj60A3RtYU3kgNJs4ihUEcdtNSHlhjqKWJeJrhCQcWYTHw9UMl5SAbfHHrPfevqwzhtXmCAqdFZSsF7W5Ps6zza4M_Oy0Jr2kSP8hhg9d_wGo5rB5Ad39fcq4PWRTT8sq6Xpv_YI0T9bqvNa7EXktJbmNkiP1XPFHr8qp-XVnGYHrWeEKNrve4jBkZzawAsIC-d-HqkusDPOTFsjkUuukivXKXcarw-VBU1leqOGHojiu4AiaTvUz2v3xEie3r9--IRMxD5YH74YDcrWz7lvmQ6glmO3_x4CsdU-kdn-Y618virYtZbXkBAnf2VwF70wQaj4jPWSTAUNzEEMGkwdi0g3Diqu9pN0jr6_JdELASPg9CBJ6aNhzOAGl69zM02iSd_EBbss1wJbKUl4P7BssOTthia3Qq9q0-XqW5TyXvaEBh4On0ZKiu5RrGt1byT3bGtJMp13QVL2HRDkd_agOm9dUoOeuIjV0RbeVm60IApnkwaZh34uR8l6w2CHOXb5-Khmz-pCoGVV9vT8Has79kUyKDSpWectQN5P662wFB-JOoNtgrx2e5ts6PL5BJ-oAms6508zv7D64-eUcx2WC6u55LpR_AB9OQxN5J3fXVOMot5AhvX6D7RN76HeyFfLYASuQ16ddw4fp2svAwW6siBpGl9bwD9ZyXp5bUlzI_DhUfGV9g9FNpHb3j2PrYgMOh7OQ5h1zUvjp-aB5FI0LZ2O_PYLuN1-mNDBDukIhPXmDzDGBmpm6DDnINmRV5uRYC1ZKZL8EGp1P2KW4KI-aFpz0xVjVk5TBxqYMU-IM0lV8Bb_TymRWR9pcfsL7RqIHv6YhIcDL4VOXFyA6s_sftlBw2Z1RNOajYTff7OIFvfn_QBOsW8q0pSGgBLffxmlCdqdvBjKHwIPeGiVhhdh-LzD_xaq9on6GaBrCW35XUxF-OrTKkyD_sKILv6QTebxjWO2ZlEO2NZP63ipElFFobi2HdRomlvXs0cDCV0QPQR0L7zBjU9w&session_state=002235ea-213e-9543-df42-5bc0e1f375b9

[wcabus]

This looks like an issue with how the integration with Microsoft account is done in ASP.NET Core.

We do have some documentation on how to configure your web server to allow for larger URIs, but unfortunately, the query string is being created by Microsoft when authenticating using a Microsoft account, so this is beyond the control of Duende IdentityServer.

[norr-carr]

Thanks Wesley. Could you elaborate on "how the integration with Microsoft account is done in ASP.NET Core"? I understand that Azure is creating the query string so we may have little control over that. But if the issue is with the .AddMicrosoftAccount() call then maybe switching to setting it up manually with AddOpenIdConnect() could help?

[wcabus]

It's a combination of both how Microsoft has implemented the flow on their end when authenticating using a Microsoft account as an external identity, and how the authentication handler is implemented to match said flow.

I'm not sure if configuring this manually using AddOpenIdConnect is going to work, since the authentication handler is based on the OAuth base handler.