Azure AD B2C Issuing Auth Codes 4000+ Characters Long.

Question

Hello,Sometime late last week, Azure AD B2C started issuing tokens at 4000+ characters for one of our clients. This has broken our SPA that is hosted on Static Web Apps since the param length limit is being exceeded. It was previously communicated that this has been rolled back. Was there an announcement that this is being brought back again?

Answer 1

Hi @Alex Rankin
I understand that Azure AD B2C started issuing tokens at 4000+ characters for one of your clients. This has broken your SPA that is hosted on Static Web Apps since the param length limit is being exceeded.

There is no official announcement indicating that Azure AD B2C has either rolled out or rolled back a change resulting in tokens being issued at 4,000+ characters. The official Microsoft documentation and community resources do not specify a hard maximum token size but recommend preparing for tokens up to 2KB (which is roughly 2,000 characters) and note that token size can increase based on the number of claims included.

If you are experiencing a recent, unexpected increase in token size (such as 4,000+ characters), this is likely due to a change in the claims included in the token, or possibly a configuration or policy update in your Azure AD B2C tenant. The official guidance is to optimize token size by reducing the number of claims included in the token.

Follow the document for more information: https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-user-flow
Hope this helps. Do let us know if you have any further queries.
If this answers your query, do click `Accept Answer` and `Yes`.