Identity provider callbacks might generate large code/state queryParams causing '404' on IIS

[QvAchthoven]

Hi!

I was making some changes to our Blazor application for which we use IdentityServer for our Authentication needs running on an IIS instance.

Today I happened to be working on allowing users to manage their own Entra ID providers through a settings page within our application when suddenly during testing, the callback URL started generating 404s even though nothing had changed on our IdentityServer instance.
The past week the 404s happened infrequently and I assumed some weird bug in my code (seeing as I happened to be working on the OAuth part of our application), however starting this morning every callback which came back from Microsoft's login service failed because of this. (still in development so no customers were impacted, no worries there!)

I started digging around, and after a morning of suffering I happened to find the 'sub-code' 15 (so 404.15) in the IIS application logs.
Googling said error quickly pointed me to 'Query string too long'.
After investigating a bit further I noticed the 3 queryParams returned by Microsoft (code, session and session_state) had a combined length of 2098 characters, which slightly exceeds IIS' default max querystring length of 2048.

Where am I going with this?
I noticed IdentityServer has a fairly comprehensive troubleshooting section in the documentation including issues related to factors outside of your direct control, and I figured this would be a great addition to said troubleshooting section.

[wcabus]

Thanks for the suggestion! This is indeed a common issue which can occur when federating to an external identity provider, since it has to echo back the query string parameters and often adds its own, causing the entire query string or URL to become too large.

We'll add a writeup for this issue to our troubleshooting section, including our following recommendation:

To solve this issue, there are two solutions:

1. Increase the maximum query string size by explicitly setting your own <requestLimits> in the web.config file. While this works in the short term, changing this might cause issues later on. Increasing the URL size limits may also not be effective in all browsers, as some browsers impose their own maximum URL length.

2. Reduce the size of the state query string parameter (which is managed by IdentityServer during the external login flow) by using a custom implementation of ISecureDataFormat<AuthenticationProperties> or IdentityServer's default implementation (see Integrating with External Providers | Duende Software Docs). Note that IdentityServer's implementation has a dependency on IDistributedCache; therefore, you may also need to configure a distributed cache for this solution to function correctly.