2

I'm using ADFS 3.0 on Windows Server 2012 R2. I have an application that uses OAuth2 to request an authorization code and then obtain an access token using that code.

The application requires some context in their redirect uri, and sometimes this context results in a uri that's larger than 400 characters. When this happens, ADFS 3.0 returns:

MSIS9253: The authorization code received is invalid. The received client identifier or the redirect uri does not match the client id or redirect uri to which the received authorization code was issued.

I confirmed that this error is misleading. The client id and URI are exactly the same - the problem appears to be that ADFS 3.0 is truncating the redirect uri if the URI is greater than 400 characters in length. When it then compares the direct URI passed during the access token request to the URI passed during the authorize request, they don't match!

I was able to connect directly to the database used by ADFS, and I confirmed their schema only holds 400 characters for the redirect URI.

ADFS Artifact Store Schema

Is there a way to allow for longer URIs?

RMD
  • 131
  • 1
  • 1
  • 6
  • I am able to work around this issue because I also am the author of the interacting application. As a result, I'm able to truncate the request to the token endpoint to only pass the first 400 characters of the redirect uri. As the initial authorization request returns the full redirect uri - even though it's truncating it when storing it - this results in a successful token request. I have to assume this is a bug in ADFS. – RMD May 03 '17 at 19:05

0 Answers0