Hi. I’m working on integrating an external login provider using Azure AD (Entra/Microsoft account) for my organization for Umbraco backoffice access. I’m adapting my current code for Umbraco 16. Originally I integrated this with Umbraco 13 and everything is/was working well there. Now with Umbraco 16 and the adjusted code as per the documentation it is not quit working. On my configured redirect URI I’m getting a 404 page not found. The URL that Microsoft is redirecting to looks as follows:
https://[website]/umbraco-signin-microsoft?code=[a very long code]&session_state=[a GUID]
The 404 error I’m then getting says:
This [url] page can’t be found
No webpage was found for the web address:
So the authentication over on the Microsoft side is working well but when the redirect happens I get this 404 error. I have narrowed the issue down to, that if I remove the session_state parameter from the URL and hit enter the redirect completes and the user is logged in. The issue seems to be similar to the issue described here only that I’m using a Microsoft oauth and not OpenID:
I’m not sure why Umbraco has a problem with that session_state param and why this is an issue now with Umbraco 16 while it was working well with Umbraco 13.
In any event, if anybody has any insight why this might be happening or a fix that would be much appreciated. I have researched this for quite a while to no avail. Thanks.
We’re having a similar issue – did you have the maxQueryString value set in your web.config to a value less than the IIS default? Or did you have to increase it to accommodate the redirect?
All right, for anyone else having the same issue running Microsoft Entra ID as a backoffice login provider and are using IIS hosting:
The redirects coming out of the SSO auth pipeline to the configured CallBackPath can come back to your site with a URL longer than 2048 characters (which is longer than the default accepted by IIS) depending on your Azure Portal App Registration configuration.
To resolve this, update this node of your web.config as such:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<!-- Set the maximum query string length in bytes -->
<requestLimits maxQueryString="8192" />
</requestFiltering>
</security>
</system.webServer>
</configuration>
Thanks for your reply, your thread saved a weekend headache for us.
We log into the backoffice via Entra as well via OpenIdConnect. Instead of raising the max query string size, we instead opted to send the response as a form instead via the OpenIdConnectOptions:
