search

atinux / nuxt-auth-utils

Add Authentication to Nuxt applications with secured & sealed cookies sessions.
MIT License
973 stars 91 forks source link

AADSTS90015: Requested query string is too long #249

Open AndrewR3K opened 1 month ago

AndrewR3K commented 1 month ago

I am running into an issue where end users are hitting this error AADSTS90015: Requested query string is too long when redirected to the AD login.

After digging further into the issue, I noticed that for some odd reason, the "scope" is being appended over 70+* to the authorizationURL.

Has anyone run into this? And if so, do you have a resolution?

Since this has been extremely hard to consistently reproduce, I have been banging my head against a while all day and have yet to find the root cause.

Thanks in advance for the help! 

https://login.microsoftonline.com/<redacted>/oauth2/v2.0/authorize?client_id=<redacted>&response_type=code&redirect_uri=https:%2F%2Ftesturl.azurestaticapps.net%2Fauth%2Fmicrosoft&scope=Group.Read.All+User.Read+User.ReadBasic.All+profile+openid+email+offline_access+Group.Read.All+User.Read+User.ReadBasic.Alne_access+Group.Read.All+User.Read+User.ReadBasic.Al+User.Read+User.ReadBasic.All+profile+openid+email+offline_access+Group.Read.All+User.Read+User.ReadBasic.ll+profile+openid+email+offline_access+Group.Read.All+User.Read+User.ReadBasic.All+profile+openid+email+offfline_access+Group.Read.All+User.Read+User.ReadBasifline_access+Group.Read.All+User.Read+User.ReadBasid.All+User.Read+User.ReadBasic.All+profile+openid+email+offline_access+Group.Read.All+User.Read+User.ReadBac.All+profile+openid+email+offline_access+Group.Read.All+User.Read+User.ReadBasic.All+profile+openid+emailil+offline_access+Group.Read.All+User.Read+User.Read+offline_access+Group.Read.All+User.Read+User.ReadB.Read.All+User.Read+User.ReadBasic.All+profile+openid+email+offline_access+Group.Read.All+User.Read+User.Reasic.All+profile+openid+email+offline_access+Group.Read.All+User.Read+User.ReadBasic.All+profile+openid+em+email+offline_access+Group.Read.All+User.Read+User.ail+offline_access+Group.Read.All+User.Read+User.Reroup.Read.All+User.Read+User.ReadBasic.All+profile+openid+email+offline_access+Group.Read.All+User.Read+UseadBasic.All+profile+openid+email+offline_access+Group.Read.All+User.Read+User.ReadBasic.All+profile+openidenid+email+offline_access+Group.Read.All+User.Read+U+email+offline_access+Group.Read.All+User.Read+Userss+Group.Read.All+User.Read+User.ReadBasic.All+profile+openid+email+offline_access+Group.Read.All+User.Read.ReadBasic.All+profile+openid+email+offline_access+Group.Read.All+User.Read+User.ReadBasic.All+profile+opee+openid+email+offline_access+Group.Read.All+User.Renid+email+offline_access+Group.Read.All+User.Read+Uaccess+Group.Read.All+User.Read+User.ReadBasic.All+profile+openid+email+offline_access+Group.Read.All+User.ser.ReadBasic.All+profile+openid+email+offline_access+Group.Read.All+User.Read+User.ReadBasic.All+profile+ofile+openid+email+offline_access+Group.Read.All+Useopenid+email+offline_access+Group.Read.All+User.Reaine_access+Group.Read.All+User.Read+User.ReadBasic.All+profile+openid+email+offline_access+Group.Read.All+Ud+User.ReadBasic.All+profile+openid+email+offline_access+Group.Read.All+User.Read+User.ReadBasic.All+profil+profile+openid+email+offline_access+Group.Read.Allle+openid+email+offline_access+Group.Read.All+User.offline_access+Group.Read.All+User.Read+User.ReadBasic.All+profile+openid+email+offline_access+Group.Read.ARead+User.ReadBasic.All+profile+openid+email+offline_access+Group.Read.All+User.Read+User.ReadBasic.All+prc.All+profile+openid+email+offline_access+Group.Readofile+openid+email+offline_access+Group.Read.All+Usail+offline_access+Group.Read.All+User.Read+User.ReadBasic.All+profile+openid+email+offline_access+Group.Reer.Read+User.ReadBasic.All+profile+openid+email+offline_access+Group.Read.All+User.Read+User.ReadBasic.AllBasic.All+profile+openid+email+offline_access+Group.+profile+openid+email+offline_access+Group.Read.Alld+email+offline_access+Group.Read.All+User.Read+User.ReadBasic.All+profile+openid+email+offline_access+Grou+User.Read+User.ReadBasic.All+profile+openid+email+offline_access+Group.Read.All+User.Read+User.ReadBasic.ReadBasic.All+profile+openid+email+offline_access+GrAll+profile+openid+email+offline_access+Group.Read.penid+email+offline_access+Group.Read.All+User.Read+User.ReadBasic.All+profile+openid+email+offline_access+All+User.Read+User.ReadBasic.All+profile+openid+email+offline_access+Group.Read.All+User.Read+User.ReadBasser.ReadBasic.All+profile+openid+email+offline_accesic.All+profile+openid+email+offline_access+Group.Rele+openid+email+offline_access+Group.Read.All+User.Read+User.ReadBasic.All+profile+openid+email+offline_accad.All+User.Read+User.ReadBasic.All+profile+openid+email+offline_access+Group.Read.All+User.Read+User.Readad+User.ReadBasic.All+profile+openid+email+offline_aBasic.All+profile+openid+email+offline_access+Grouprofile+openid+email+offline_access+Group.Read.All+User.Read+User.ReadBasic.All+profile+openid+email+offline.Read.All+User.Read+User.ReadBasic.All+profile+openid+email+offline_access+Group.Read.All+User.Read+User.Rr.Read+User.ReadBasic.All+profile+openid+email+offlieadBasic.All+profile+openid+email+offline_access+Grll+profile+openid+email+offline_access+Group.Read.All+User.Read+User.ReadBasic.All+profile+openid+email+offoup.Read.All+User.Read+User.ReadBasic.All+profile+openid+email+offline_access+Group.Read.All+User.Read+Use+User.Read+User.ReadBasic.All+profile+openid+email+or.ReadBasic.All+profile+openid+email+offline_accessic.All+profile+openid+email+offline_access+Group.Read.All+User.Read+User.ReadBasic.All+profile+openid+email+Group.Read.All+User.Read+User.ReadBasic.All+profile+openid+email+offline_access+Group.Read.All+User.Read
AndrewR3K commented 4 weeks ago

Weirdly it seems the following changes has "resolved" the issue for now, this of course though is not ideal.

I have yet to figure out exactly WHY this is causing sporadic duplicate scopes.

  1. Hard coded scope Example: 
    
// removed:       const scope = config.scope && config.scope.length > 0 ? config.scope : ['User.Read']

return sendRedirect( event, withQuery(authorizationURL as string, { client_id: config.clientId, response_type: 'code', redirect_uri: redirectURL, scope: 'Group.Read.All User.Read User.ReadBasic.All profile openid email offline_access', }), )


2. Removed the spread opp
```js
...config.authorizationParams,