search

IdentityServer / IdentityServer4

OpenID Connect and OAuth 2.0 Framework for ASP.NET Core
https://identityserver.io
Apache License 2.0
9.23k stars 4.02k forks source link

404 for endsession request with very log url #1795

Closed guidoffm closed 6 years ago

guidoffm commented 6 years ago

I have a lougout requestin the form 

https://prosim3061.bku.db.de/connect/endsession?id_token_hint=xxxxxxxxxxxxxxxx&post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Fauth.html

with a length of nearky 5000 characters. The server responds with 404. Maybe a configuration issue with ASP.NET Core

brockallen commented 6 years ago

You need to work to minimize the size of the id_token. Also, you might want to implement the state data format to minimize the state param size like we do in IdSvr: http://docs.identityserver.io/en/release/topics/signin_external_providers.html#state-url-length-and-isecuredataformat

guidoffm commented 6 years ago

If there is no config option to increase the max url size we can close the issue

brockallen commented 6 years ago

I don't know if there is. What web server and hosting framework are you using? :)

daiplusplus commented 5 years ago

Commenting for the benefit of future visitors with the same problem:

Assuming you're using IIS 7 or later, you'll want to set <requestLimits> in your web.config (this is an IIS thing, so you'll need a web.config even though you're using ASP.NET Core which doesn't use web.config).

https://docs.microsoft.com/en-us/iis/configuration/system.webServer/security/requestFiltering/requestLimits/

Given that the maximum browser cookie size is 4096 bytes and that the browser will be passing id_token (often sent as a cookie) back to the server, it means we can set a reasonable upper-bound on maxQueryString to 8192 on the basis that you'll need at least 4096 bytes for id_token, plus another 4096 for other parameters like post_logout_redirect_uri and state. You'll also need to set maxUrl to a larger value (I use 10240 just to be safe).

web.config in your web-application root:

<configuration>
   <system.webServer>
      <security>
         <requestFiltering>
            <requestLimits maxQueryString="8192" maxUrl="10240" /> <!-- maxQueryString="2048" is the default -->
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>

This works in web.config files placed inside a website (i.e. on a per-Application-Scope basis) and does not need to be placed in applicationHost.config, so you can include this in your source-code repo.

Alternatively, you can also use IIS Manager (even to connect to an Azure App Service): https://stackoverflow.com/questions/43186826/azure-app-service-iis-maxrequestlength-setting

lock[bot] commented 4 years ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.