SWA Params Payload with Length of 4096 Results in 404

Question

SWA Params Payload with Length of 4096 Results in 404

Alex Rankin 50

Hello,

I noticed late last week that Azure Static Web Apps started returning 404 responses when the length of query params exceeds 4096 characters (including param names and symbols minus "?"). This is a problem for the SPA I host using SWA since my app uses OAuth2.

Any help is appreciated.

Thanks!

Alekhya Vaddepally 1,670 Reputation points Microsoft External Staff Moderator

2025-05-05T15:31:06.46+00:00
It seems that you are running in a problem with Azure Static Web Apps, where you are getting 404 reactions when your query parameters are more than 4096 characters. It is creating a problem for your spa that depends on Oauth2.

To address this issue, here are some things you can consider:

Check the query string limits: There are some limitations on the size of the query string of the azure. While Azure itself allows for long URL, specific services or configurations can impose their limits. Ensure that your application or any mediator (eg load balancers or firewall) are not restricted to the length of URL or Querry Strings.

Customize your query parameters: If possible, see if you can reduce the length of your query parameters. This may include sending some parameters to the request body (if applied) or using a different approach to pass the data, such as session storage or server-side state management.

Look at the Azure configuration settings: Depends on how your Azure Static Web App is set, there may be additional configurations or settings that you can make tweak. For example, if you are using the Azure Front Door, there are some limitations that can affect your requests.

Using the post instead of the gate: If your questions are very long due to Oauth2 parameters, consider switching from receiving the post requests for these interactions. Post requests can take a large payload without killing the same limit.

Check the error log: Review any logs or error messages returned with 404 responses. Sometimes, they can give more reference to why the request was rejected.

If you continue to face issues or if these suggestions do not solve the problem, here are some follow -up questions to better understand your situation:

Are there any specific error messages with 404 that can give more insight?

Can you provide details about the configuration of your azure static web app, such as if you are using any additional services (eg, Azure Front Door)?

Currently what type of request method (POST) are you using for your Oauth2 interaction? How is your application structured in terms of handling query parameters? Tell me whether you have more questions or need more help!

if you have any further concerns or queries, please feel free to reach out to us.
Alex Rankin 50 Reputation points

2025-05-05T17:14:10.9933333+00:00

Thanks for the reply. Our configuration is setup such that SWA is hit directly without any other Azure infrastructure. To reiterate, this was not a problem until late last week. If this is the expected change moving, please link to the related documentation.
Alex Rankin 50 Reputation points

2025-05-05T18:51:55.52+00:00

The error I get is "The resource you are looking for has been removed, had its name changed, or is temporarily unavailable." under that condition.
Alex Rankin 50 Reputation points

2025-05-06T04:20:14.7+00:00

This is actually expected. The issue appears to be that Azure AD B2C started issuing auth codes 4000+ characters long.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Alekhya Vaddepally 1,670 Reputation points Microsoft External Staff Moderator

2025-05-07T11:40:52.3966667+00:00

Hi Alex Rankin, We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Alekhya Vaddepally 1,670 Reputation points Microsoft External Staff Moderator

2025-05-08T19:54:06.2933333+00:00

Hi Alex Rankin, We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

1 answer

Your answer

Alex Rankin 50 Reputation points

2025-05-05T17:14:10.9933333+00:00

Thanks for the reply. Our configuration is setup such that SWA is hit directly without any other Azure infrastructure. To reiterate, this was not a problem until late last week. If this is the expected change moving, please link to the related documentation.
Alex Rankin 50 Reputation points

2025-05-05T18:51:55.52+00:00

The error I get is "The resource you are looking for has been removed, had its name changed, or is temporarily unavailable." under that condition.
Alex Rankin 50 Reputation points

2025-05-06T04:20:14.7+00:00

This is actually expected. The issue appears to be that Azure AD B2C started issuing auth codes 4000+ characters long.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Alekhya Vaddepally 1,670 Reputation points Microsoft External Staff Moderator

2025-05-07T11:40:52.3966667+00:00

Hi Alex Rankin, We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Alekhya Vaddepally 1,670 Reputation points Microsoft External Staff Moderator

2025-05-08T19:54:06.2933333+00:00

Hi Alex Rankin, We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 1

Hi Alex Rankin
Use authority code flow with PKCE through post

Instead of relying on query strings in redirects, consider switching to post-based authentic flows (if your framework supports it). It is completely avoided from long URL and is a recommended OAuth 2.0 approach to Spa.

If you are using Microsoft's MSAL.JS or any other popular OAuth client library, enable PKCE (proof key for code exchange) and minimize the state passed in query string.

Reduce state size or use browser storageIf you are passing the Custom State Parameter in your authentic request, then try:

State handling in session storage or location,Encoding State Minimum (eg, base 64-encoded json or small identifier) and To avoid large payload or nested objects in the state.This can help keep the final redirected URL under 4096 characters.Store state server-side (advanced)If your app is supported by a serverless API or function app, you can temporarily store complex authentic status on the backend and send a small reference key as Query Param. When redirected, retrieve the full position using that key.

if you have any further concerns or queries, please feel free to reach out to us.

Share via

SWA Params Payload with Length of 4096 Results in 404

1 answer

Your answer