authentication.authenticate() rejects with "Authorization code exceeds max length of 2048 characters"

[ivanggq]

Hi,

We are trying to do external browser authentication as described here https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-oauth-provider#add-authentication-to-external-browsers

It works well when the resulting token is less than 2048 chars, but fails with "Authorization code exceeds max length of 2048 characters" when it is more than that.

We are calling authentication.authenticate() with isExternal: true and have implemented all necessary hops, and when we invoke the final msteams://teams.microsoft.com/l/auth-callback?authId=${authId}&result=${token} URL with the resulting token, the promise from authentication.authenticate()rejects with "Authorization code exceeds max length of 2048 characters" if the token is not within 2048 chars.

Our tokens are longer than that. Why is this limitation existing? Can it be disabled somehow (via the manifest for example)? Can it be increased/configured?

Thanks,
Ivan

[jekloudaMSFT]

Hi @ivanggq, thanks for reporting this issue. Our external browser authentication flow validates the authorization code based on the OAuth2 RFC 6750 standard. That standard does not specify a maximum length for the authorization code, but the Google OAuth2 implementation, which has the largest documented limit of the major OAuth providers, has a maximum length of 2048 characters. Can you please share which OAuth2 provider the app is using that generates codes longer than this?

[ivanggq]

Hi @jekloudaMSFT , we are integrating with GoTo (goto.com), and some tokens can be 3 KB. We also know that Intuit's tokens are with max length 4 KB: https://blogs.intuit.com/2020/03/23/increased-lengths-for-oauth-2-0-fields/#:~:text=The%20new%20maximum%20lengths%20are,Refresh%20tokens%3A%20512%20characters

Why is the limit so low and is it possible to increase? Thank you

[jekloudaMSFT]

Hi @ivanggq, thanks for providing more details. The link shows that the authorization code limit is 512 characters. Can you confirm that the app is passing the authorization code back via the "msteams://" link and not the access token? The app should pass the authorization code back to Teams and then exchange the authorization code for the access token inside the WebView. Passing the access token via deeplink is insecure and not a supported scenario.

[ivanggq]

Hi @jekloudaMSFT , sorry for mixing up authorization code and the access token lengths and being unclear. You are right about the link I sent and the limit there being 512 chars for authorization codes.
I confirmed with the team - we are in fact passing authorization codes and they are 3 KB in length.

[jekloudaMSFT]

Thanks for confirming, @ivanggq. Is the size of the GoTo authorization code documented anywhere? We can look into increasing the limit, but per security we can't accept arbitrarily large results

[ivanggq]

No, I don't think it is documented anywhere, but current lengths are around 2.8-3K chars, and maybe a limit of 4K chars (for the GoTo auth codes) is reasonable enough.
Is an increase of 2K -> 4K in the MS Teams library reasonable? Thanks.

[jekloudaMSFT]

Hi @ivanggq, I reached out to GoTo support to get an exact number we could use and received this response:

"Our codes and tokens are shorter than the limit you mentioned,

The code has 1606 characters
The access_token 1548 characters
The refresh_token 1490

Or are you talking about all the information in the .Json response?
If that's it, then I guess we exceed the limit, it will round the 2290 characters, and it will change depending on the scopes, and the email."

Based on this, could the app be using the entire .json response? Can you confirm whether this is the case, and if so whether that additional information is needed to complete the auth flow?

[ivanggq]

Hi, when a user logs into app.goto.com , if you monitor the network calls, the authorization code is 2.8-3 K. This is due to the auth code containing a lot of scopes. when used from the app.goto.com app. (From other GoTo apps, the scopes are fewer and the auth code is smaller).
Reducing the number of scopes is something that we are looking at, but this will not be a quick solution and wanted to check if the MS Teams SDK can help by increasing the limit.

[jekloudaMSFT]

Ok, we can look into increasing the limit, but we want to set it based on the documented limits of popular identity providers. This check is implemented on the host side, so if we do update it will take some time to roll out to our hosts. Would you be willing to troubleshoot why the app is receiving authorization codes so far outside the size indicated by GoTo? If they can update their documentation to specify the larger issued sizes, we can use that as reference in our security reviews.

[ivanggq]

Thanks @jekloudaMSFT , we already know that the size of the auth code is large due to too many scopes being used by app.goto.com and consequently encoded into the auth token. We are working on reducing / unifying the scopes, which will bring the size down, but this would take a few months.
I am also going to raise the question about documenting the current limits - I will let you know of any developments.

[ivanggq]

Hi @jekloudaMSFT , the token sizes are now documented in the GoTo developer portal: https://developer.goto.com/Authentication/#section/Token-sizes

[jekloudaMSFT]

Thanks @ivanggq, I'll let you know when I have an ETA of when you can expect to see the fix rolled out to production