josephdecock
commented
1 year ago This problem is occurring because the state parameter grows larger as you federate - more state is added at each hop in the federation. Instead of storing most of the state in the request parameters, you can store the state server side. The OIDC handler includes an extension point to do this called the ISecureDataFormat, and IdentityServer ships with an implementation of that interface so that you don't even need to implement it. Under the covers, IdentityServer's ISecureDataFormat persists its data using IDistributedCache. So to use it, you need to call AddOidcStateDataFormatterCache to add the service to DI, and then make sure that you have an IDistributedCache registered as well. If you're not load balancing your IdentityServer, you probably could use the simple MemoryDistributedCache, which just saves the values in memory. If you are load balancing, then you'll need a real distributed cache, such as Redis.
For more details, see our documentation here: https://docs.duendesoftware.com/identityserver/v6/ui/login/external/#state-url-length-and-isecuredataformat
ahmadellahib
Currently using Duende.IdentityServer.EntityFramework version 6.2.3 with .Net 7.0
We are using AAD as external provider and facing an issue on Edge browser only. We are using two emails with different domains. One works fine and one has issue only on Edge. When the user tries to login we are getting "AADSTS90015: Requested query string is too long." and this happens at: login.microsoftonline.com/common/resume?ctx=...
The first email account is 34 characters length, the second one is 43 characters. That is the only difference I can think of. The second one is of pattern: abc@abc.onmicrosoft.com
The client configuration:
clients.Add(new Client { ClientName = ... ClientId = ... ClientSecrets = { new Secret(...) }, AllowedGrantTypes = GrantTypes.Code, RequirePkce = true, RequireConsent = false, RedirectUris = { $"..." }, FrontChannelLogoutUri = $"...", PostLogoutRedirectUris = { $"..." }, AllowOfflineAccess = true, UpdateAccessTokenClaimsOnRefresh = true, AllowedScopes = { ... } }I tried decreasing the number of scopes, still didn't work.