search

aspnet / Identity

[Archived] ASP.NET Core Identity is the membership system for building ASP.NET Core web applications, including membership, login, and user data. Project moved to https://github.com/aspnet/AspNetCore
Apache License 2.0
1.97k stars 871 forks source link

OpenID Connect - Sign Out - AADSTS90015: Requested query string is too long. #2010

Closed oskarm93 closed 5 years ago

oskarm93 commented 5 years ago

I am using this sample: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore

I made 1 modification in the code - added SaveTokens flag:

public void Configure(string name, OpenIdConnectOptions options)
{
   options.ClientId = _azureOptions.ClientId;
   options.Authority = $"{_azureOptions.Instance}{_azureOptions.TenantId}";
   options.UseTokenLifetime = true;
   options.CallbackPath = _azureOptions.CallbackPath;
   options.RequireHttpsMetadata = false;
   options.SaveTokens = true;
}

I also made another modification in the AAD app manifest: "groupMembershipClaims": "SecurityGroup",

This gives me a longer ID token with group claims as I need them, but when I try to sign out, I get this: image

Message: AADSTS90015: Requested query string is too long.

The signout URL is:

https://login.microsoftonline.com/<TenantId>/oauth2/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fsignout-callback-oidc
&id_token_hint=<Nearly4KilobytesOfCharactersHere>
&state=<Another200CharactersHere>
&x-client-SKU=ID_NET
&x-client-ver=2.1.4.0

The id_token_hint is very long. Is it required, or can it be omittted somehow?

What I'm trying to do ultimately:

To that end, I modified my app code and manifest even further from the sample:

public void Configure(string name, OpenIdConnectOptions options)
{
    options.ClientId = _azureOptions.ClientId;
    options.ClientSecret = _azureOptions.ClientSecret;
    options.Authority = _azureOptions.AuthorityUri;
    options.Resource = _azureOptions.ResourceUri;
    options.CallbackPath = _azureOptions.CallbackPath;
    options.ResponseType = OpenIdConnectResponseType.IdTokenToken;

    options.UseTokenLifetime = true;
    options.RequireHttpsMetadata = false;
    options.SaveTokens = true;
}

App manifest additions: "oauth2AllowImplicitFlow": true, image

This allows me to get an access token for Azure Service Management in my controller like so: var accessToken = await httpContext.GetTokenAsync("access_token");

blowdart commented 5 years ago

This issue was moved to aspnet/Security#1892