Azure AD B2C - how to shorten the "state" parameter in the signout url to avoid query string is too long error?

Gangarde, Sachin 60 Reputation points
2024-05-16T16:05:57.7733333+00:00

Hi,

we are getting a unique query string too long error upon adding one of the standard context parameters. Somehow it is getting added to the "state" property while user logging out.

I have no idea why the "state" property is required on the logout and how can we cut it down without removing the output claims.

Any suggestions are welcome.

The error we are getting is :

The request filtering module is configured to deny a request where the query string is too long.

This is how out reply party code looks like(we recently added 'contextIPAddress' output claim)

<RelyingParty>

<DefaultUserJourney ReferenceId="HRD_Internal" />

<UserJourneyBehaviors>

<SingleSignOn Scope="Tenant" />

<SessionExpiryType>Absolute</SessionExpiryType>

<SessionExpiryInSeconds>86400</SessionExpiryInSeconds>

<JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="******************" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" />

<ContentDefinitionParameters>

<Parameter Name="ui_locales">{Culture:RFC5646}</Parameter>

</ContentDefinitionParameters>

<ScriptExecution>Allow</ScriptExecution>

</UserJourneyBehaviors>

<TechnicalProfile Id="PolicyProfile">

<DisplayName>PolicyProfile</DisplayName>

<Protocol Name="OpenIdConnect" />

<OutputClaims>

<OutputClaim ClaimTypeReferenceId="displayName" />

<OutputClaim ClaimTypeReferenceId="givenName" />

<OutputClaim ClaimTypeReferenceId="surname" />

<OutputClaim ClaimTypeReferenceId="email" />

<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" />

<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid" />

<OutputClaim ClaimTypeReferenceId="identityProvider" />

<OutputClaim ClaimTypeReferenceId="contextIPAddress" />

</OutputClaims>

<SubjectNamingInfo ClaimType="oid" />

</TechnicalProfile>

</RelyingParty>

The error in the browser looks like :

User's image

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,702 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,088 questions
{count} vote

1 answer

Sort by: Most helpful
  1. James Hamil 22,876 Reputation points Microsoft Employee
    2024-05-16T19:16:53.45+00:00

    Hi @Gangarde, Sachin , the "state" parameter is required in the logout URL to prevent cross-site request forgery (CSRF) attacks. It is used to maintain state between the client and the server. However, if the query string is too long, you can try to shorten it by removing unnecessary parameters or by compressing the state parameter.

    One way to compress the state parameter is to use a compression algorithm like gzip or deflate. You can compress the state parameter on the server-side before sending it to the client, and then decompress it on the client-side before using it.

    Another way to shorten the state parameter is to use a shorter value for the "nonce" parameter. The nonce parameter is used to prevent replay attacks and is included in the state parameter. By default, the nonce parameter is a 32-byte random string. You can reduce the length of the nonce parameter to 16 bytes or less to shorten the state parameter.

    You can also try to remove unnecessary parameters from the state parameter. For example, if you are using the "prompt" parameter in the login URL, you can remove it from the logout URL since it is not needed.

    In your case, you can try to remove the "contextIPAddress" output claim from the TechnicalProfile to see if it helps to shorten the state parameter. If you still need the "contextIPAddress" output claim, you can try to compress the state parameter or use a shorter value for the nonce parameter.

    There's also this thread with some more information.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James