OKTA OpenId ASP.Net MVC app throwing 400

Hi,

I implemented OKTA OpenId in my existing ASP.NET MVC application as my client has moved to OKTA org. I used the example:

This app is now part of client’s OKTA Org from where users clicks the app tile and gets redirected to the home page of ASP.NET MVC application.

Now on clicking OKTA org tile, the app is going into a loop of sign in steps and after some time it throws error:

Bad Request - Request Too Long

HTTP Error 400. The size of the request headers is too long.

My startup file is has following code in Configuration method

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions());

        app.UseOktaMvc(new OktaMvcOptions()
        {
            OktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"],
            ClientId = ConfigurationManager.AppSettings["okta:ClientId"],
            ClientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"],
            AuthorizationServerId = string.Empty,
            RedirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"],
            PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"],
            GetClaimsFromUserInfoEndpoint = true,
            Scope = new List<string> { "openid", "profile", "email" },
        });

Please help.

Hello Shipra, did you find a solution for this? We’re seeing the same thing but it’s not consistent.

Hi! Did you resolve this? We have the same issue only with some users. For this reason, Okta support told us that is our issue and didn’t help us.

Also experiencing this intermittently. Our site is hosted across 180 sites with unique DNS entries for each site.

However every so often a user a specific site will encounter this and will happen for all users trying to access this site.

Is it user specific or site specific? Is there a lot of information about the user being stored in claims (such as group membership or profile attributes) as that can cause these sort of errors?

Seems to be site specific for me, as soon as a user raises it to our support team any one that attempts to access the site lands up with the same issue, IIS reset seems to help.

I use the following scopes in my request

openid email profile roles groups

Cookies are spammed into the clients browser

I’m looking at potential fixes from my side to try prevent this from happening including migrating from .net 4.7 to .net core as well as potentially trying to implement some of these work arounds https://stackoverflow.com/questions/36795259/too-many-cookies-openidconnect-nonce-cause-error-page-bad-request-request-too

but the migration process is taking some time so until I complete that I’m not able to work on attempting any work arounds yet.