c# Identity Server Bad Request - Request Too Long

Question

I have an odd issue that I am trying to track down.

If I deploy my client and Identity Server to Azure, using a self signed certificate then the code works.

I have now moved it to our UAT environment, where the identity server is configured to use a purchased certificate. This certificate has been provided for a single domain. identity.mydomain.com

The client has the password for this certificate so it can do what it needs to.

When I browse to the identity server I can log in to the admin section, so that is all running correctly. If I browse to the client, it redirects to the identity service where I can log in. But as soon as I log in, and am redirected back to my website, I get the following error;

Bad Request - Request Too Long

HTTP Error 400. The size of the request headers is too long.

Looking at the cookies, I can see a whole load of cookies created. I have deleted those and restarted, but I still have the same issue. If I increase the size of the buffers by using.

<httpRuntime maxRequestLength="2097151" executionTimeout="2097151">

Then it works, but I am concerned that I am masking a problem rather than fixing it.

Has anyone else had to do this to get identity server to work on iis?

Answer 1

I've had this issue recently. The solution was to downgrade the used NuGet package Microsoft.Owin.Security.OpenIdConnect. I was using 3.0.1. You must downgrade to 3.0.0. This is an issue with Owin/Katana middleware. Descriptioin of the issue can be found here. Note that the page states how to fix the actual issue in the library. I haven't tried that, it could also work and is worth the try.

Note that you must clear your cookies the first time you redeploy with the fix in place. As temporary fix, you can always clear your cookies, and just visit the site again. At some point however, it will always stick bunch of nonce strings in the cookie. Similar issue can be found here.

Answer 2

What solved the problem for me was using AdamDotNet's Custom OpenIdConnectAuthenticationHandler to delete old nonce cookies.

public static class OpenIdConnectAuthenticationPatchedMiddlewareExtension
    {
        public static Owin.IAppBuilder UseOpenIdConnectAuthenticationPatched(this Owin.IAppBuilder app, Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationOptions openIdConnectOptions)
        {
            if (app == null)
            {
                throw new System.ArgumentNullException("app");
            }
            if (openIdConnectOptions == null)
            {
                throw new System.ArgumentNullException("openIdConnectOptions");
            }
            System.Type type = typeof(OpenIdConnectAuthenticationPatchedMiddleware);
            object[] objArray = new object[] { app, openIdConnectOptions };
            return app.Use(type, objArray);
        }
    }

    /// <summary>
    /// Patched to fix the issue with too many nonce cookies described here: https://github.com/IdentityServer/IdentityServer3/issues/1124
    /// Deletes all nonce cookies that weren't the current one
    /// </summary>
    public class OpenIdConnectAuthenticationPatchedMiddleware  : OpenIdConnectAuthenticationMiddleware
    {
        private readonly Microsoft.Owin.Logging.ILogger _logger;

        public OpenIdConnectAuthenticationPatchedMiddleware(Microsoft.Owin.OwinMiddleware next, Owin.IAppBuilder app, Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationOptions options) 
                : base(next, app, options)
        {
            this._logger = Microsoft.Owin.Logging.AppBuilderLoggerExtensions.CreateLogger<OpenIdConnectAuthenticationPatchedMiddleware>(app);
        }

        protected override Microsoft.Owin.Security.Infrastructure.AuthenticationHandler<OpenIdConnectAuthenticationOptions> CreateHandler()
        {
            return new SawtoothOpenIdConnectAuthenticationHandler(_logger);
        }

        public class SawtoothOpenIdConnectAuthenticationHandler : OpenIdConnectAuthenticationHandler
        {
            public SawtoothOpenIdConnectAuthenticationHandler(Microsoft.Owin.Logging.ILogger logger)
                : base(logger) { }

            protected override void RememberNonce(OpenIdConnectMessage message, string nonce)
            {
                var oldNonces = Request.Cookies.Where(kvp => kvp.Key.StartsWith(OpenIdConnectAuthenticationDefaults.CookiePrefix + "nonce"));
                if (oldNonces.Any())
                {
                    Microsoft.Owin.CookieOptions cookieOptions = new Microsoft.Owin.CookieOptions
                    {
                        HttpOnly = true,
                        Secure = Request.IsSecure
                    };
                    foreach (KeyValuePair<string, string> oldNonce in oldNonces)
                    {
                        Response.Cookies.Delete(oldNonce.Key, cookieOptions);
                    }
                }
                base.RememberNonce(message, nonce);
            }
        }
    }

And use:

app.UseOpenIdConnectAuthenticationPatched(new OpenIdConnectAuthenticationOptions(){...});

As detailed here: https://github.com/IdentityServer/IdentityServer3/issues/1124#issuecomment-226519073