Skip to content

fix: increase SSO authorization code max_length from 512 to 4096 (Entra ID regression)#4491

Open
ecthelion77 wants to merge 1 commit intoIBM:mainfrom
forterro:fix/sso-code-max-length
Open

fix: increase SSO authorization code max_length from 512 to 4096 (Entra ID regression)#4491
ecthelion77 wants to merge 1 commit intoIBM:mainfrom
forterro:fix/sso-code-max-length

Conversation

@ecthelion77
Copy link
Copy Markdown
Contributor

@ecthelion77 ecthelion77 commented Apr 28, 2026

🐛 Bug-fix PR

Fixes #4490

📌 Summary

The SSO callback endpoint rejects valid Microsoft Entra ID authorization codes with HTTP 422 because the code query parameter is limited to max_length=512. Entra ID v2 authorization codes routinely exceed 1500 characters, completely breaking SSO login for all Azure AD / Entra ID users.

This is a regression introduced when input validation constraints were added to SSO parameters.

🔁 Reproduction Steps

  1. Configure SSO with Microsoft Entra ID authorization server
  2. Attempt SSO login via admin UI
  3. Entra ID redirects to /api/v1/sso/callback?code=<1500+ char code>&state=...
  4. HTTP 422: string_too_long on code parameter

See issue #4490 for full details and error payload.

🐞 Root Cause

In mcpgateway/routers/sso.py, the code parameter has max_length=512:

code: Optional[str] = Query(None, max_length=512, description="Authorization code from SSO provider"),

Microsoft Entra ID v2 authorization codes are 1200–2000+ characters. The 512 limit triggers a Pydantic validation error before token exchange.

💡 Fix Description

Increase max_length from 512 to 4096 for the code query parameter.

  • RFC 6749 does not define a maximum authorization code length
  • Google: ~70 chars, Microsoft Entra ID: 1200–2000+ chars
  • 4096 provides safe headroom for all known providers
  • Security is enforced by token exchange + HMAC state verification, not code length

Change

-    code: Optional[str] = Query(None, max_length=512, description="Authorization code from SSO provider"),
+    code: Optional[str] = Query(None, max_length=4096, description="Authorization code from SSO provider"),

🧪 Verification

Check Command Status
Lint suite make lint
Unit tests make test
Manual regression no longer fails Tested with Entra ID

📐 MCP Compliance

  • No impact on MCP protocol
  • No breaking change to MCP clients

✅ Checklist

  • Code formatted
  • No secrets/credentials committed
  • Signed-off-by included in commit

fix: increase SSO code max_length from 512 to 4096
7c23619 
Entra ID (Microsoft) v2 authorization codes can exceed 1500 characters.
The previous 512 limit caused HTTP 422 on SSO callback, breaking login.

Fixes: string_too_long validation error on /api/v1/sso/callback
Signed-off-by: Olivier Gintrand <[email protected]>
@ecthelion77
Copy link
Copy Markdown
Contributor Author

ecthelion77 commented Apr 28, 2026

Hey @bogdanmariusc10 — this is a follow-up to your PR #4337 which added input validation to SSO query parameters. The max_length=512 on the code parameter in handle_sso_callback() is too short for Microsoft Entra ID (Azure AD), which routinely issues authorization codes of 1200–2000+ characters. This completely breaks SSO login for all Entra ID users (HTTP 422 string_too_long).

Would appreciate your review since you authored the original validation constraints. The fix simply bumps max_length from 512 to 4096 — RFC 6749 does not define a max code length, and the real security boundary is the token exchange + HMAC state verification. Thanks!

@bogdanmariusc10 bogdanmariusc10 self-requested a review April 28, 2026 10:13
bogdanmariusc10
bogdanmariusc10 approved these changes Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@bogdanmariusc10 bogdanmariusc10 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello, @ecthelion77 ! Thank you for the observation and contribution!

LGTM!

@bogdanmariusc10 bogdanmariusc10 added MUST P1: Non-negotiable, critical requirements without which the product is non-functional or unsafe release-fix Critical bugfix required for the release regression High priority regression labels Apr 28, 2026
@bogdanmariusc10 bogdanmariusc10 mentioned this pull request Apr 30, 2026
Open
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bogdanmariusc10 bogdanmariusc10 bogdanmariusc10 approved these changes

@crivetimihai crivetimihai Awaiting requested review from crivetimihai crivetimihai is a code owner

@brian-hussey brian-hussey Awaiting requested review from brian-hussey brian-hussey is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

MUST P1: Non-negotiable, critical requirements without which the product is non-functional or unsafe regression High priority regression release-fix Critical bugfix required for the release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG][REGRESSION]: SSO callback returns HTTP 422 — authorization code max_length too short for Microsoft Entra ID (breaks SSO login)

2 participants

@ecthelion77 @bogdanmariusc10