Setting up OIDC with Azure Error: "Request contains too many headers"

Hi All,

I am working to setup OIDC with Azure AD. Everything seems to be setup properly and I am able to authenticate using Azure credentials. However after a few sign-out / sign-in cycles I start to received HTTP Error 431 in my browser, and the following error in the logs.

Once I start to receive the error, I have to close my browser and start over or restart universal.

I have tried increasing MaxRequestHeadersTotalSize, and MaxRequestHeaderCount via AppSettings.json and ENV variables to no effect.

Any idea what could be causing this?

2023-07-05 17:13:06 [00:13:06 INF] AuthenticationScheme: OpenIdConnect was challenged.
2023-07-05 17:13:06 [00:13:06 VRB] After executing action result Microsoft.AspNetCore.Mvc.ChallengeResult.
2023-07-05 17:13:06 [00:13:06 VRB] Result Filter: Before executing OnResultExecuted on filter Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.SaveTempDataFilter.
2023-07-05 17:13:06 [00:13:06 VRB] Result Filter: After executing OnResultExecuted on filter Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.SaveTempDataFilter.
2023-07-05 17:13:06 [00:13:06 VRB] Resource Filter: Before executing OnResourceExecuted on filter Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.SaveTempDataFilter.
2023-07-05 17:13:06 [00:13:06 VRB] Resource Filter: After executing OnResourceExecuted on filter Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.SaveTempDataFilter.
2023-07-05 17:13:06 [00:13:06 INF] Executed action UniversalDashboard.Controllers.AuthenticationController.RedirectToUrl (Universal.Server) in 2.1146ms
2023-07-05 17:13:06 [00:13:06 INF] Executed endpoint 'UniversalDashboard.Controllers.AuthenticationController.RedirectToUrl (Universal.Server)'
2023-07-05 17:13:06 [00:13:06 INF] Request finished HTTP/2 GET https://localhost:5001/api/v1/auth/redirect?returnUrl=/admin - - - 302 0 - 5.1620ms
2023-07-05 17:13:06 [00:13:06 VRB] Connection id "0HMRTMJGUV4S9" sending HEADERS frame for stream ID 113 with length 1574 and flags END_STREAM, END_HEADERS.
2023-07-05 17:13:07 [00:13:07 VRB] Connection id "0HMRTMJGUV4S9" received HEADERS frame for stream ID 115 with length 13177 and flags END_HEADERS, PRIORITY.
2023-07-05 17:13:07 [00:13:07 DBG] Connection id "0HMRTMJGUV4S9" bad request data: "Request contains too many headers."
2023-07-05 17:13:07 Microsoft.AspNetCore.Server.Kestrel.Core.BadHttpRequestException: Request contains too many headers.
2023-07-05 17:13:07    at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http2.Http2Stream.TryParseRequest(ReadResult result, Boolean& endConnection)
2023-07-05 17:13:07    at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
2023-07-05 17:13:07    at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequestsAsync[TContext](IHttpApplication`1 application)
2023-07-05 17:13:07 [00:13:07 VRB] Connection id "0HMRTMJGUV4S9" sending HEADERS frame for stream ID 115 with length 41 and flags END_STREAM, END_HEADERS.
2023-07-05 17:13:07 [00:13:07 INF] Connection id "0HMRTMJGUV4S9", Request id "0HMRTMJGUV4S9:00000073": the application completed without reading the entire request body.
2023-07-05 17:13:07 [00:13:07 VRB] Connection id "0HMRTMJGUV4S9" sending RST_STREAM frame for stream ID 115 with length 4 and flags 0x0.
2023-07-05 17:13:07 [00:13:07 VRB] Connection id "0HMRTMJGUV4S9" received DATA frame for stream ID 115 with length 1604 and flags END_STREAM.

Are you including sending groups in your claims in Azure? If so, try going to the Azure App Registration and target the specific group(s) that you will allow access to PSU, then in the App Registration’s token configuration select to only include groups assigned to the application.

Thats a good tip, I did do that and it significantly reduced the size of the claim. But I’m still getting this error.

I think next I’ll try to get a sample of the request, maybe that will shed some light on it.

Looks like cookies headers may be the culprit. Not sure why this is happening, but there are many many cookie headers in the request that is failing

image675×640 43.9 KB

Narrowed this down to something related to logout. I can reliably reproduce the problem by following these steps:

1. Sign-in to PU using OIDC. This happens when I browse to the dashboard because I have authentication enabled.
2. Sign out using the “Sign Out” button after clicking my profile name at the top right
3. Repeat steps 1 and 2 until I receive an Error 431 and a ton of cookies in browser.

However… If instead of clicking the Sign Out link, I can manually browse to “https://localhost:5001/api/v1/signout?returnurl=/home”. I do not have the problem at all. I can sign-in/out repeatedly with no trouble, as long as I use that signout URL instead of the button.

I am experiencing the same issue. Same fix works, delete the cookies. Did you ever get further with the root cause?

No, never got to root cause on this.