ssl - c# Identity Server Bad Request - Request Too Long

Question

I have an odd issue that I am trying to track down.

If I deploy my client and Identity Server to Azure, using a self signed certificate then the code works.

I have now moved it to our UAT environment, where the identity server is configured to use a purchased certificate. This certificate has been provided for a single domain. identity.mydomain.com

The client has the password for this certificate so it can do what it needs to.

When I browse to the identity server I can log in to the admin section, so that is all running correctly. If I browse to the client, it redirects to the identity service where I can log in. But as soon as I log in, and am redirected back to my website, I get the following error;

Bad Request - Request Too Long

HTTP Error 400. The size of the request headers is too long.

Looking at the cookies, I can see a whole load of cookies created. I have deleted those and restarted, but I still have the same issue. If I increase the size of the buffers by using.

<httpRuntime maxRequestLength="2097151" executionTimeout="2097151">

Then it works, but I am concerned that I am masking a problem rather than fixing it.

Has anyone else had to do this to get identity server to work on iis?

Answer 1

I've had this issue recently. The solution was to downgrade the used NuGet package Microsoft.Owin.Security.OpenIdConnect. I was using 3.0.1. You must downgrade to 3.0.0. This is an issue with Owin/Katana middleware. Descriptioin of the issue can be found here. Note that the page states how to fix the actual issue in the library. I haven't tried that, it could also work and is worth the try.

Note that you must clear your cookies the first time you redeploy with the fix in place. As temporary fix, you can always clear your cookies, and just visit the site again. At some point however, it will always stick bunch of nonce strings in the cookie. Similar issue can be found here.