OIDC Implicit flow - redirect uri length

2
votes

I'm using OIDC with implicit code flow with response type "id_token token". Everything works great but noticed that callback url with access token, id_token, scope and session_state + domain name already contains 2033 characters. Project that I'm working on needs to support IE 10 and as far as I know there is a limit URL 2048 characters. I'm little afraid that length of callback url is apporaching this limit dangerously. What is suggested approach with cases like that? Could I change response type to "token" and then request user information from user info endpoint? Or maybe should I do something to reduce size of callback url, try to reduce information in access_token and id_token? Third option seems to be reference token but I'm little afraid about overhead with one extra call to STS.

In project I use oidc-client-js and IdentityServer4.

Thanks

2
identityserver4openid-connectoidc-client-js
You might try switching from implicit flow to auth code flow. Auth code flow involves an extra step of exchanging the smallish auth-code for the full JWT but you shouldn't have to worry about URL redirect limits in IE.user2368632

2 Answers

2
votes

Try to keep the token as small as possible. IOW less claims.

IdentityServer removes all additional claims from the identity token by default in scenarios where an access token is available (unless you override this behavior).

Reference tokens are another way of dealing with that as you said. By enabling caching in the API middleware you can keep the overhead small.

IE is the plague.

0
votes

Similar issue here but with Electron app. Electron app needs to call protected API. API needs to know identity of calling user. I tried changing response type from "id_token token" to "token" but IdentityServer auth attempt now results in :

UI:

Sorry, there was an error : invalid_scope

Debug Output:

Requests for token response type only must include resource scopes, but no identity scopes

Javascript config (borrowed from Dom's great Javascript sample client):

var config = {
    authority: "http://localhost:5000",
    client_id: "js",
    redirect_uri: "http://localhost:5003/callback.html",
    response_type: "token",
    scope:"openid profile TestApi",
    post_logout_redirect_uri : "http://localhost:5003/index.html",
};