-
Notifications
You must be signed in to change notification settings - Fork 194
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
authentication.authenticate() rejects with "Authorization code exceeds max length of 2048 characters" #2516
Comments
Hi @ivanggq, thanks for reporting this issue. Our external browser authentication flow validates the authorization code based on the OAuth2 RFC 6750 standard. That standard does not specify a maximum length for the authorization code, but the Google OAuth2 implementation, which has the largest documented limit of the major OAuth providers, has a maximum length of 2048 characters. Can you please share which OAuth2 provider the app is using that generates codes longer than this? |
Hi @jekloudaMSFT , we are integrating with GoTo (goto.com), and some tokens can be 3 KB. We also know that Intuit's tokens are with max length 4 KB: https://blogs.intuit.com/2020/03/23/increased-lengths-for-oauth-2-0-fields/#:~:text=The%20new%20maximum%20lengths%20are,Refresh%20tokens%3A%20512%20characters Why is the limit so low and is it possible to increase? Thank you |
Hi @ivanggq, thanks for providing more details. The link shows that the authorization code limit is 512 characters. Can you confirm that the app is passing the authorization code back via the "msteams://" link and not the access token? The app should pass the authorization code back to Teams and then exchange the authorization code for the access token inside the WebView. Passing the access token via deeplink is insecure and not a supported scenario. |
Hi @jekloudaMSFT , sorry for mixing up authorization code and the access token lengths and being unclear. You are right about the link I sent and the limit there being 512 chars for authorization codes. |
Hi,
We are trying to do external browser authentication as described here https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-oauth-provider#add-authentication-to-external-browsers
It works well when the resulting token is less than 2048 chars, but fails with "Authorization code exceeds max length of 2048 characters" when it is more than that.
We are calling
authentication.authenticate()
withisExternal: true
and have implemented all necessary hops, and when we invoke the finalmsteams://teams.microsoft.com/l/auth-callback?authId=${authId}&result=${token}
URL with the resulting token, the promise fromauthentication.authenticate()
rejects with "Authorization code exceeds max length of 2048 characters" if the token is not within 2048 chars.Our tokens are longer than that. Why is this limitation existing? Can it be disabled somehow (via the manifest for example)? Can it be increased/configured?
Thanks,
Ivan
The text was updated successfully, but these errors were encountered: