I have an MVC app which uses the Microsoft.AspNetCore.Authentication.OpenIdConnect middleware against IdS4 (core 1.1). The MVC calls a backend web API with the access token obtained after authentication. I'm using the "code id_token" response. I have segmented the API using scopes, but I have quite a few of them, i.e. 15. When I build the OIDCoptions I add in the scopes which the client requires:
oidOptions.Scope.Add("usersRead"); // Api scope
oidOptions.Scope.Add("usersWrite"); // Api scope
This has worked absolutely fine. However, I added a further two scopes and now IdS reports the following when the MVC does an OIDC challenge against IdS, i.e. before the user gets presented with login form
bad request
I can remove any two scopes from the list in my MVC app and it starts working again. This makes me think there is some limit on the number of scopes which can be requested, or some issue with URL length? I had a look the source code for OIDC middleware and IdS and I cannot find anything which would limit the number of API scopes a client may request.
Any ideas?
Thanks for the comments. After setting up log streaming in the Azure Web App the problem was immediately highlighted. Indeed, there is a string length limit on the artifacts which make up the token request, specifically for the scopes string 300 characters. We have shortened the scope names and now everything is working fine.
For reference, please see: https://github.com/IdentityServer/IdentityServer4/blob/aspnetcore1/src/IdentityServer4/Configuration/DependencyInjection/Options/InputLengthRestrictions.cs
Note, this is for dot net core v1.1 - similar restrictions for v2.0.