c# Identity Server Bad Request - Request Too Long

Asked 2/12, 2016 at 14:44 Answered 9/12, 2020 at 15:34

I have an odd issue that I am trying to track down.

If I deploy my client and Identity Server to Azure, using a self signed certificate then the code works.

I have now moved it to our UAT environment, where the identity server is configured to use a purchased certificate. This certificate has been provided for a single domain. identity.mydomain.com

The client has the password for this certificate so it can do what it needs to.

When I browse to the identity server I can log in to the admin section, so that is all running correctly. If I browse to the client, it redirects to the identity service where I can log in. But as soon as I log in, and am redirected back to my website, I get the following error;

Bad Request - Request Too Long

HTTP Error 400. The size of the request headers is too long.

Looking at the cookies, I can see a whole load of cookies created. I have deleted those and restarted, but I still have the same issue. If I increase the size of the buffers by using.

<httpRuntime maxRequestLength="2097151" executionTimeout="2097151">

Then it works, but I am concerned that I am masking a problem rather than fixing it.

Has anyone else had to do this to get identity server to work on iis?

Juice answered 2/12, 2016 at 14:44 Comment(2)

I just googled the error...support.microsoft.com/en-us/kb/2020943 I see resolutions on that page. Doesn't appear to have anything to do with the cert. – Condone 2/12, 2016 at 15:1

I had already seen that one thanks, we are not using kerberos or AD. Curiously though, using a completely clean machine, I can log in as I would expect. Though other machines that have been working on this issue for a day or 2 do not work. After doing some more reading I am inclined to think it may be a cookie issue. – Juice 2/12, 2016 at 15:31

I've had this issue recently. The solution was to downgrade the used NuGet package Microsoft.Owin.Security.OpenIdConnect. I was using 3.0.1. You must downgrade to 3.0.0. This is an issue with Owin/Katana middleware. Descriptioin of the issue can be found here. Note that the page states how to fix the actual issue in the library. I haven't tried that, it could also work and is worth the try.

Note that you must clear your cookies the first time you redeploy with the fix in place. As temporary fix, you can always clear your cookies, and just visit the site again. At some point however, it will always stick bunch of nonce strings in the cookie. Similar issue can be found here.

Sikora answered 2/12, 2016 at 18:33 Comment(3)

Thanks, I'll try this. – Juice 5/12, 2016 at 14:5

Though weirdly it works intermittently. One user can always get it to work in chrome, but never ie. – Juice 5/12, 2016 at 14:19

I am assumingMicrosoft.Owin.Security.OpenIdConnect Nuget package you are referring is in Client Application? My client application is developed in ASP.NET Core with 1.1.2 runtime.. and i am having the same issue – Microseism 23/9, 2017 at 18:45

What solved the problem for me was using AdamDotNet's Custom OpenIdConnectAuthenticationHandler to delete old nonce cookies.

public static class OpenIdConnectAuthenticationPatchedMiddlewareExtension
    {
        public static Owin.IAppBuilder UseOpenIdConnectAuthenticationPatched(this Owin.IAppBuilder app, Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationOptions openIdConnectOptions)
        {
            if (app == null)
            {
                throw new System.ArgumentNullException("app");
            }
            if (openIdConnectOptions == null)
            {
                throw new System.ArgumentNullException("openIdConnectOptions");
            }
            System.Type type = typeof(OpenIdConnectAuthenticationPatchedMiddleware);
            object[] objArray = new object[] { app, openIdConnectOptions };
            return app.Use(type, objArray);
        }
    }

    /// <summary>
    /// Patched to fix the issue with too many nonce cookies described here: https://github.com/IdentityServer/IdentityServer3/issues/1124
    /// Deletes all nonce cookies that weren't the current one
    /// </summary>
    public class OpenIdConnectAuthenticationPatchedMiddleware  : OpenIdConnectAuthenticationMiddleware
    {
        private readonly Microsoft.Owin.Logging.ILogger _logger;

        public OpenIdConnectAuthenticationPatchedMiddleware(Microsoft.Owin.OwinMiddleware next, Owin.IAppBuilder app, Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationOptions options) 
                : base(next, app, options)
        {
            this._logger = Microsoft.Owin.Logging.AppBuilderLoggerExtensions.CreateLogger<OpenIdConnectAuthenticationPatchedMiddleware>(app);
        }

        protected override Microsoft.Owin.Security.Infrastructure.AuthenticationHandler<OpenIdConnectAuthenticationOptions> CreateHandler()
        {
            return new SawtoothOpenIdConnectAuthenticationHandler(_logger);
        }

        public class SawtoothOpenIdConnectAuthenticationHandler : OpenIdConnectAuthenticationHandler
        {
            public SawtoothOpenIdConnectAuthenticationHandler(Microsoft.Owin.Logging.ILogger logger)
                : base(logger) { }

            protected override void RememberNonce(OpenIdConnectMessage message, string nonce)
            {
                var oldNonces = Request.Cookies.Where(kvp => kvp.Key.StartsWith(OpenIdConnectAuthenticationDefaults.CookiePrefix + "nonce"));
                if (oldNonces.Any())
                {
                    Microsoft.Owin.CookieOptions cookieOptions = new Microsoft.Owin.CookieOptions
                    {
                        HttpOnly = true,
                        Secure = Request.IsSecure
                    };
                    foreach (KeyValuePair<string, string> oldNonce in oldNonces)
                    {
                        Response.Cookies.Delete(oldNonce.Key, cookieOptions);
                    }
                }
                base.RememberNonce(message, nonce);
            }
        }
    }

And use:

app.UseOpenIdConnectAuthenticationPatched(new OpenIdConnectAuthenticationOptions(){...});

As detailed here: https://github.com/IdentityServer/IdentityServer3/issues/1124#issuecomment-226519073

Typography answered 3/8, 2018 at 11:43 Comment(1)

for me, it doesn't help, with this it just keep redirecting, without every throwing the Bad Request - Request Too Long error :((((( – Uriah 20/3, 2020 at 17:43

Just clearing cookies worked for me. It is the easiest answer to try first.

Tabaret answered 9/12, 2020 at 15:34 Comment(0)

Recommended topics

Hot tags