Problem with groups in Oauth2 attribute

Product: PowerShell Universal
Version: 4.0.12

Hi all.
My first post here, please treat me kindly

I am setting up OpenID Connect authentication and authorization in my psu environment. Authentication went smooth, no big problems there, but now I’m trying to use my AD groups as an attribute in the Oauth2 userinfo for roles assignment and suddenly everything crashes when I try to log in. After some fiddling I suspect that psu doesn’t handle attributes long enough. My idp concatenates all my groups into one string so this particular attribute is almost 3000 characters in length. Can anyone verify that this might be the problem? And is there any way if so of increasing the limit? Or any other way to get around this problem?

I’ll paste the relevant part of my system log below in case it says anything. I think it’s kinda vague on what’s the problem:

2023-09-13 11:32:46.559 +02:00 [INF] Request starting HTTP/2 GET https://<OBFUSCATED>/ - -
2023-09-13 11:32:46.559 +02:00 [VRB] All hosts are allowed.
2023-09-13 11:32:46.559 +02:00 [VRB] This request accepts compression.
2023-09-13 11:32:46.559 +02:00 [VRB] Performing protect operation to key {8a65e556-5c21-460f-8cc3-170a2845b632} with purposes ('C:\Program Files (x86)\Universal\', 'SessionMiddleware').
2023-09-13 11:32:46.559 +02:00 [DBG] The request path / does not match a supported file type
2023-09-13 11:32:46.559 +02:00 [DBG] The request path  does not match the path filter
2023-09-13 11:32:46.559 +02:00 [DBG] Request did not match any endpoints
2023-09-13 11:32:46.564 +02:00 [VRB] Performing protect operation to key {8a65e556-5c21-460f-8cc3-170a2845b632} with purposes ('C:\Program Files (x86)\Universal\', 'Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler', 'System.String', 'OpenIdConnect', 'v1').
2023-09-13 11:32:46.564 +02:00 [VRB] Performing protect operation to key {8a65e556-5c21-460f-8cc3-170a2845b632} with purposes ('C:\Program Files (x86)\Universal\', 'Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler', 'OpenIdConnect', 'v1').
2023-09-13 11:32:46.564 +02:00 [INF] Request finished HTTP/2 GET https://<OBFUSCATED>/ - - - 302 0 - 5.1100ms2023-09-13 11:32:57.788 +02:00 [INF] Request starting HTTP/2 GET https://<OBFUSCATED>/auth/signin-oidc?error_description=the+server+encountered+an+unexpected+error&state=CfDJ8FblZYohXA9GjMMXCihFtjJVlSMMQBodSAtgJqdYSw7NGE0pNkn_uL6vFiszZVkSYUDKTfeY4mwmdqZ37HvUv2jKyv9ATMAl6sEJkUrb3RB9Kwm-kQJiWntEY0ugnfG-3asxPxeWFcDPs6YFJE8bzWmqV1MAoJBDf0g2CMkNCCOJciUnLAghGRAQTYGNdBtcEMR31Up1BXeu3cq3pVIslrJ0PUU0Z8r1253bADoDrk31_tIVLxIWtZzEw4f0uIttAqe8_xY8HyFbqcyU0C4tPQQutj2Z8eMb3R3tT58D2YuXFapNW0KaN-17XL1N5OTeWSWT7mr8PXS5fVueBHpO0D6VhfVS-H1dgeQcwhqiMBi5JxSoBPeIp9dvPCZ8sSMvDw&error=server_error - -
2023-09-13 11:32:57.788 +02:00 [VRB] All hosts are allowed.
2023-09-13 11:32:57.789 +02:00 [VRB] Performing unprotect operation to key {8a65e556-5c21-460f-8cc3-170a2845b632} with purposes ('C:\Program Files (x86)\Universal\', 'Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler', 'OpenIdConnect', 'v1').
2023-09-13 11:32:57.789 +02:00 [ERR] Connection id "0HMTJCELR3K2I", Request id "0HMTJCELR3K2I:00000003": An unhandled exception was thrown by the application.
System.Exception: An error was encountered while handling the remote login.
 ---> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'server_error', error_description: 'the server encountered an unexpected error', error_uri: 'error_uri is null'.
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
2023-09-13 11:32:57.790 +02:00 [INF] Request finished HTTP/2 GET https://<OBFUSCATED>/auth/signin-oidc?error_description=the+server+encountered+an+unexpected+error&state=CfDJ8FblZYohXA9GjMMXCihFtjJVlSMMQBodSAtgJqdYSw7NGE0pNkn_uL6vFiszZVkSYUDKTfeY4mwmdqZ37HvUv2jKyv9ATMAl6sEJkUrb3RB9Kwm-kQJiWntEY0ugnfG-3asxPxeWFcDPs6YFJE8bzWmqV1MAoJBDf0g2CMkNCCOJciUnLAghGRAQTYGNdBtcEMR31Up1BXeu3cq3pVIslrJ0PUU0Z8r1253bADoDrk31_tIVLxIWtZzEw4f0uIttAqe8_xY8HyFbqcyU0C4tPQQutj2Z8eMb3R3tT58D2YuXFapNW0KaN-17XL1N5OTeWSWT7mr8PXS5fVueBHpO0D6VhfVS-H1dgeQcwhqiMBi5JxSoBPeIp9dvPCZ8sSMvDw&error=server_error - - - 500 0 - 1.4839ms

Nobody? I’m not sure if it’s a stupid question or if the usage of OpenID Connect simply isn’t really widespread. I also posted this as a ticket, but haven’t got any feedback there.

The solution could be to limit which groups are returned, in Azure/Entra, this is done on the App registration → Token configuration en then editing the Groups claim to

“Groups assigned to the application (recommended for large enterprise companies to avoid exceeding the limit on the number of groups a token can emit)”

Then only groups assigned to the related Enterprise App will be returned

Ah, this is a good feature! However my idp software doesn’t have something like that. I’ve heard rumours that it will in some future though…

Regardless of this though, I don’t think the crash I’m experiencing is intented behaviour, psu should really complain in a nicer way. Maybe it could at least truncate the attribute if it’s too long?

The next version (4.2) will display the error in the browser. That said, we might be able to truncate but we would certainly need to notify the user that it’s happening since many of the claims could be missing.

Aha… I thought it was the length of that particular claim who hit the roof, but from what you’re saying it sounds like it is the length of the entire json? I thought you could maybe truncate that particular claim (ie cut some of the groups in the list if necessary), but truncating the entire user info (and thus maybe dropping entire claims) will be a bigger problem.

What is the size limit?