OpenID Connect - Sign Out - AADSTS90015: Requested query string is too long.

[blowdart]

From @xenalite on October 13, 2018 7:11

I am using this sample: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore

I made 1 modification in the code - added SaveTokens flag:

public void Configure(string name, OpenIdConnectOptions options)
{
   options.ClientId = _azureOptions.ClientId;
   options.Authority = $"{_azureOptions.Instance}{_azureOptions.TenantId}";
   options.UseTokenLifetime = true;
   options.CallbackPath = _azureOptions.CallbackPath;
   options.RequireHttpsMetadata = false;
   options.SaveTokens = true;
}

I also made another modification in the AAD app manifest: "groupMembershipClaims": "SecurityGroup",

This gives me a longer ID token with group claims as I need them, but when I try to sign out, I get this:

Message: AADSTS90015: Requested query string is too long.

The signout URL is:

https://login.microsoftonline.com/<TenantId>/oauth2/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fsignout-callback-oidc
&id_token_hint=<Nearly4KilobytesOfCharactersHere>
&state=<Another200CharactersHere>
&x-client-SKU=ID_NET
&x-client-ver=2.1.4.0

The id_token_hint is very long. Is it required, or can it be omittted somehow?

What I'm trying to do ultimately:

• I'm creating a wrapper site around some Azure Service Management APIs.
• Log users in and implement group-claim based access control.
• Get their access token to Azure Service Management APIs in my controllers and pass them on.

To that end, I modified my app code and manifest even further from the sample:

public void Configure(string name, OpenIdConnectOptions options)
{
    options.ClientId = _azureOptions.ClientId;
    options.ClientSecret = _azureOptions.ClientSecret;
    options.Authority = _azureOptions.AuthorityUri;
    options.Resource = _azureOptions.ResourceUri;
    options.CallbackPath = _azureOptions.CallbackPath;
    options.ResponseType = OpenIdConnectResponseType.IdTokenToken;

    options.UseTokenLifetime = true;
    options.RequireHttpsMetadata = false;
    options.SaveTokens = true;
}

App manifest additions: "oauth2AllowImplicitFlow": true,

This allows me to get an access token for Azure Service Management in my controller like so: var accessToken = await httpContext.GetTokenAsync("access_token");

Copied from original issue: aspnet/Identity#2010

[blowdart]

@jmprieur The token_id_hint looks like it's based on the whole identity, including roles. What should we be building the token_id_hint from?

[brockallen]

https://openid.net/specs/openid-connect-session-1_0.html#RPLogout

[blowdart]

Oh dear;

"Previously issued ID Token passed to the logout endpoint as a hint about the End-User's current authenticated session with the Client."

Which is what we're doing.

[leastprivilege]

Which is correct - maybe dumping everything and the kitchen sink into id_token wasn't a very good idea to start with ;)

[jmprieur]

would it be possible to compress the IDToken ?

[blowdart]

That would require support for decompression on the other side, and throwing the standards out the window. So .. no.

Could you hydrate the groups as part of claims transformation instead via the graph apis?

[oskarm93]

Do all claims have to be present in a hint?

[blowdart]

Previously issued ID Token passed to the logout endpoint as a hint about the End-User's current authenticated session with the Client.

Yes, because you've put them all in the ID token the server issued.

[jmprieur]

It's possible to advise not to add groups to the token, and use the Graph API later. You would set the groupMembershipClaims property of the Application Manifest to None. Then to read the groups from the graph you can see this sample: https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims

[Eilon]

Closing because no further action is planned on this issue. This is how OIDC works and it is best to try to keep tokens to a smaller size.