Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

authentication.authenticate() rejects with "Authorization code exceeds max length of 2048 characters" #2516

Open
ivanggq opened this issue Sep 18, 2024 · 4 comments
Open

authentication.authenticate() rejects with "Authorization code exceeds max length of 2048 characters" #2516

ivanggq opened this issue Sep 18, 2024 · 4 comments

Comments

@ivanggq
Copy link

ivanggq commented Sep 18, 2024

Hi,

We are trying to do external browser authentication as described here https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-oauth-provider#add-authentication-to-external-browsers

It works well when the resulting token is less than 2048 chars, but fails with "Authorization code exceeds max length of 2048 characters" when it is more than that.

We are calling authentication.authenticate() with isExternal: true and have implemented all necessary hops, and when we invoke the final msteams://teams.microsoft.com/l/auth-callback?authId=${authId}&result=${token} URL with the resulting token, the promise from authentication.authenticate()rejects with "Authorization code exceeds max length of 2048 characters" if the token is not within 2048 chars.

Our tokens are longer than that. Why is this limitation existing? Can it be disabled somehow (via the manifest for example)? Can it be increased/configured?

Thanks,
Ivan
@jekloudaMSFT
Copy link
Contributor

Hi @ivanggq, thanks for reporting this issue. Our external browser authentication flow validates the authorization code based on the OAuth2 RFC 6750 standard. That standard does not specify a maximum length for the authorization code, but the Google OAuth2 implementation, which has the largest documented limit of the major OAuth providers, has a maximum length of 2048 characters. Can you please share which OAuth2 provider the app is using that generates codes longer than this?

@ivanggq
Copy link
Author

ivanggq commented Sep 18, 2024

Hi @jekloudaMSFT , we are integrating with GoTo (goto.com), and some tokens can be 3 KB. We also know that Intuit's tokens are with max length 4 KB: https://blogs.intuit.com/2020/03/23/increased-lengths-for-oauth-2-0-fields/#:~:text=The%20new%20maximum%20lengths%20are,Refresh%20tokens%3A%20512%20characters

Why is the limit so low and is it possible to increase? Thank you

@jekloudaMSFT
Copy link
Contributor

Hi @ivanggq, thanks for providing more details. The link shows that the authorization code limit is 512 characters. Can you confirm that the app is passing the authorization code back via the "msteams://" link and not the access token? The app should pass the authorization code back to Teams and then exchange the authorization code for the access token inside the WebView. Passing the access token via deeplink is insecure and not a supported scenario.

@ivanggq
Copy link
Author

ivanggq commented Sep 19, 2024

Hi @jekloudaMSFT , sorry for mixing up authorization code and the access token lengths and being unclear. You are right about the link I sent and the limit there being 512 chars for authorization codes.
I confirmed with the team - we are in fact passing authorization codes and they are 3 KB in length.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ivanggq @jekloudaMSFT