0

I have a website that is hosted in Local IIS witch is configured as a client in Identity server 4 , my problem is that i'm getting this message The length of the query string for this query is greater than the configured maxQueryStringLength value. when try to login using identity server 4.

Knowing that I have changed this property in the web.config to put it to the maximum.

<requestFiltering>
    <requestLimits maxQueryString="4294967295"  />
</requestFiltering>

Here is the code in the start up of my website:

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = "Cookies"
        });

        ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

        // app.Use<SawtoothOpenIdConnectAuthenticationHandler>();
        app.UseSawtoothOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            ClientId = "Website.UI",
            Authority = "https://localhost:5001",
            RedirectUri = "https://localhost/MyWebsite.Test",
            ResponseType = "code",
            Scope = "openid profile offline_access api",
            UseTokenLifetime = false,
            SignInAsAuthenticationType = "Cookies",
            RequireHttpsMetadata = false,

            RedeemCode = true,
            SaveTokens = true,
            ResponseMode = "query",

            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                RedirectToIdentityProvider = context =>
                {
                    if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication)
                    {
                        var state = context.ProtocolMessage.State;

                        // set PKCE parameters
                        var codeVerifier = CryptoRandom.CreateUniqueId(8);

                        string codeChallenge;
                        using (var sha256 = SHA256.Create())
                        {
                            var challengeBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(codeVerifier));
                            codeChallenge = Base64Url.Encode(challengeBytes);
                        }
                                context.ProtocolMessage.SetParameter("code_challenge", codeChallenge);
                            context.ProtocolMessage.SetParameter("code_challenge_method", "S256");

                        // remember code_verifier (adapted from OWIN nonce cookie)
                        RememberCodeVerifier(context, codeVerifier);
                    }
                    if (!string.IsNullOrEmpty(context.ProtocolMessage.State) ||
                               context.ProtocolMessage.State.StartsWith("OpenIdConnect.AuthenticationProperties="))
                    {
                        var authenticationPropertiesString = context.ProtocolMessage.State.Split('=')[1];

                        AuthenticationProperties authenticationProperties = context.Options.StateDataFormat.Unprotect(authenticationPropertiesString);

                        return Task.FromResult(authenticationProperties.RedirectUri);
                    }
                    return Task.Delay(0);
                },
                AuthorizationCodeReceived = context =>
                {
                    // get code_verifier
                    var codeVerifier = RetrieveCodeVerifier(context);

                    // attach code_verifier
                    context.TokenEndpointRequest.SetParameter("code_verifier", codeVerifier);

                    return Task.Delay(0);
                }
            }
        });
    }
}

And here is the code in identity server side :

 "Clients": [{
        "ClientId": "Website.UI",
        "RequireConsent": false,
        "AllowedGrantTypes": [ "authorization_code" ],
        "RequirePkce": true,
        "RequireClientSecret": false,
        "RedirectUris": [ "https://localhost/MyWebsite.Test"],
        "AllowedScopes": [ "openid", "profile", "api" ],
        "AllowOfflineAccess": true,
        "AllowedCorsOrigins": ["https://localhost:44300"]
      }}

When i investigated i found the execute this below three time

RedirectToIdentityProvider = context =>
                        {..}

which makes the "State": "OpenIdConnect.AuthenticationProperties= too big

Jackdaw
  • 7,626
  • 5
  • 15
  • 33
Orwa
  • 1
  • According to the Microsoft documentation the [`maxQueryString`](https://learn.microsoft.com/en-us/iis/configuration/system.webServer/security/requestFiltering/requestLimits/) default value is `2048`. Therefore try to define some reasonable value in you `web.config` file. For example `maxQueryString="10240"`. – Jackdaw Dec 21 '20 at 23:06
  • This value maxQueryString="10240" is too small may problem is that i get a big response from Identity server that exceeds even this number maxQueryString="4294967295" . – Orwa Dec 22 '20 at 12:55
  • I assume the parameter `maxQueryString` is not the problem. It is unlikely that the Identity Server will send you responses of size > 4GB. – Jackdaw Dec 22 '20 at 13:08

1 Answers1

0

When you have this setting:

ResponseMode = "query",

Then the query string will be quite big. One option is to use ResponseMode ="form_post" instead to avoid getting this error.

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • Thanks for your response but when i change it to that ResponseMode ="form_post" i'm calling Identity server in an infinite loop. – Orwa Dec 22 '20 at 12:51