-
Notifications
You must be signed in to change notification settings - Fork 197
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
authentication.authenticate() rejects with "Authorization code exceeds max length of 2048 characters" #2516
Comments
Hi @ivanggq, thanks for reporting this issue. Our external browser authentication flow validates the authorization code based on the OAuth2 RFC 6750 standard. That standard does not specify a maximum length for the authorization code, but the Google OAuth2 implementation, which has the largest documented limit of the major OAuth providers, has a maximum length of 2048 characters. Can you please share which OAuth2 provider the app is using that generates codes longer than this? |
Hi @jekloudaMSFT , we are integrating with GoTo (goto.com), and some tokens can be 3 KB. We also know that Intuit's tokens are with max length 4 KB: https://blogs.intuit.com/2020/03/23/increased-lengths-for-oauth-2-0-fields/#:~:text=The%20new%20maximum%20lengths%20are,Refresh%20tokens%3A%20512%20characters Why is the limit so low and is it possible to increase? Thank you |
Hi @ivanggq, thanks for providing more details. The link shows that the authorization code limit is 512 characters. Can you confirm that the app is passing the authorization code back via the "msteams://" link and not the access token? The app should pass the authorization code back to Teams and then exchange the authorization code for the access token inside the WebView. Passing the access token via deeplink is insecure and not a supported scenario. |
Hi @jekloudaMSFT , sorry for mixing up authorization code and the access token lengths and being unclear. You are right about the link I sent and the limit there being 512 chars for authorization codes. |
Thanks for confirming, @ivanggq. Is the size of the GoTo authorization code documented anywhere? We can look into increasing the limit, but per security we can't accept arbitrarily large results |
No, I don't think it is documented anywhere, but current lengths are around 2.8-3K chars, and maybe a limit of 4K chars (for the GoTo auth codes) is reasonable enough. |
Hi @ivanggq, I reached out to GoTo support to get an exact number we could use and received this response: "Our codes and tokens are shorter than the limit you mentioned, The code has 1606 characters Or are you talking about all the information in the .Json response? Based on this, could the app be using the entire .json response? Can you confirm whether this is the case, and if so whether that additional information is needed to complete the auth flow? |
Hi, when a user logs into app.goto.com , if you monitor the network calls, the authorization code is 2.8-3 K. This is due to the auth code containing a lot of scopes. when used from the app.goto.com app. (From other GoTo apps, the scopes are fewer and the auth code is smaller). |
Ok, we can look into increasing the limit, but we want to set it based on the documented limits of popular identity providers. This check is implemented on the host side, so if we do update it will take some time to roll out to our hosts. Would you be willing to troubleshoot why the app is receiving authorization codes so far outside the size indicated by GoTo? If they can update their documentation to specify the larger issued sizes, we can use that as reference in our security reviews. |
Thanks @jekloudaMSFT , we already know that the size of the auth code is large due to too many scopes being used by app.goto.com and consequently encoded into the auth token. We are working on reducing / unifying the scopes, which will bring the size down, but this would take a few months. |
Hi @jekloudaMSFT , the token sizes are now documented in the GoTo developer portal: https://developer.goto.com/Authentication/#section/Token-sizes |
Thanks @ivanggq, I'll let you know when I have an ETA of when you can expect to see the fix rolled out to production |
Hi,
We are trying to do external browser authentication as described here https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-oauth-provider#add-authentication-to-external-browsers
It works well when the resulting token is less than 2048 chars, but fails with "Authorization code exceeds max length of 2048 characters" when it is more than that.
We are calling
authentication.authenticate()
withisExternal: true
and have implemented all necessary hops, and when we invoke the finalmsteams://teams.microsoft.com/l/auth-callback?authId=${authId}&result=${token}
URL with the resulting token, the promise fromauthentication.authenticate()
rejects with "Authorization code exceeds max length of 2048 characters" if the token is not within 2048 chars.Our tokens are longer than that. Why is this limitation existing? Can it be disabled somehow (via the manifest for example)? Can it be increased/configured?
Thanks,
Ivan
The text was updated successfully, but these errors were encountered: