Mar 17 2023 06:48 AM - edited Sep 11 2023 04:16 AM
Update September 11, 2023: This post is irrelevant anymore
As part of ongoing security improvement efforts in Azure Active Directory (AAD), part of Microsoft Entra, Azure AD B2C will be rolling out a format change that increases the size of OAuth 2.0 (and OpenID Connect) authorization code and refresh tokens returned to your application. If your application is configured to accept the OAuth2 authorization code as query string parameter or URL fragment, this change might impact users in the following scenarios:
The OAuth2 (and OpenID Connect) protocol specifies three response modes which specify how the authorization code is returned to your application. With the query and fragment mode the authorization code is returned as a query parameter or fragment of the URL. In the form_post mode, response parameters will be encoded as HTML form values that are transmitted via the HTTP POST method and encoded in the body. For information, check out the OAuth 2.0 authorization code flow in Azure Active Directory B2C article.
To mitigate URL lengths issues:
The change also impacts the size of the refresh token. MSAL library caches a token after it has been acquired. For web applications with in-memory cache, or a distributed token cache, make sure your cache system can handle the size of the refresh token, or reduce the size of the refresh token as described in the previous section.
Yoel
Apr 20 2023 09:41 AM - edited Apr 20 2023 09:43 AM
@KStuber Sure, here you go, please make sure to add / extend those blocks in the right place:
<system.web>
<httpRuntime maxUrlLength="4096" maxQueryStringLength="4096" />
</system.web>
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxUrl="4096" maxQueryString="4096" />
</requestFiltering>
</security>
</system.webServer>
Apr 20 2023 09:44 AM
Apr 20 2023 09:54 AM
@Florian Wachs Thank you! That worked great. We did see URL lengths in the 5k-6k range, so we just had to bump up the values to accommodate. I really appreciate the reply!
Apr 20 2023 12:19 PM
@eschillercourtalert Are you able to resolve this issue? Any update from Microsoft? We are facing the same issue with our Windows application. Thank you
Apr 20 2023 05:22 PM
Apr 21 2023 03:42 AM
Apr 21 2023 04:51 AM
@yoelh Wow this caused us a lot of trouble. We have some desktop apps that lets users log in using Azure B2C. This morning our support desk was overwhelmed with calls of customers not being able to log in due to this change. We found out that customers running an older version of our software where primarily impacted by this change. Customers running newer versions where not impacted. Turned out new version use a newer version of the MSAL NuGet package, in which support for this change was introduced: Release 4.35.0 · AzureAD/microsoft-authentication-library-for-dotnet (github.com)
Limits on URL length in embedded browsers was causing errors with auth code. Applications will not fail on the embedded browers due to the limitation. See issue #2743
We would very much like to know what we should have done to prevent this. Is this blog post the only way of communication regarding this update? What will Microsoft do in order to prevent this from happening again since a lot of replies mention the poor communication regarding this change.
Apr 21 2023 05:07 AM
Apr 21 2023 05:31 PM
Apr 22 2023 03:00 AM - edited Apr 22 2023 03:26 AM
Apr 22 2023 04:47 AM
@stijnsymons did the rollback resolve your issue?
Apr 23 2023 08:23 PM
Apr 23 2023 11:58 PM
Do you know if there have been any official communication from ms about the roll back? :) @paulvancoller-appsure
Apr 24 2023 11:32 PM
Apr 25 2023 06:13 PM
Apr 25 2023 09:20 PM
@User20230420 there were two things we did to address this issue:
1) Opened a ticket with Microsoft, eventually they temporarily rolled back this change to my tenant. No word when the change will be permanently made
2) Update the version of Microsoft.Identity.Client nuget package on the desktop application. This addressed the issue until Microsoft rolled back the change
Jul 05 2023 03:09 PM
@yoelh bump