HTTP Error 400. The size of the request headers is too long.

[meberg]

trafficstars

Packages:

Azure.Identity 1.10.3 Azure.Messaging.ServiceBus 7.16.2

Problem:

When I attempt to create a service bus subscription on Azure Service Bus using DefaultAzureCredential with a VisualStudioCredential, I get error "HTTP Error 400. The size of the request headers is too long." when i set "ForwardTo". Without "ForwardTo" set, it works. It seems to be because of the referenced code; i.e. that another bearer token is added to the request in the header "ServiceBusSupplementaryAuthorization" when "ForwardTo" is set.

I am a member of many AD-groups, and per the docs, the first 200 is returned when requesting a JWT, this seems to result in a token which is about 10 kB, and the Azure Service Bus API seems to accept about 16 kB. But when another header (with the same value in my case as in the actual Authorization-header) is added, the request size reaches 20 kB, and it looks like it could reach 30 kB if I were to set "fwdDeadLetterTo" also.

Is this as designed? Can I stop the AD from returning all groups I belong to somehow?

https://github.com/Azure/azure-sdk-for-net/blob/2b941a2f3cb6ebefba2477effc741941f1883ac8/sdk/servicebus/Microsoft.Azure.ServiceBus/src/Management/ManagementClient.cs#L1163

[jsquire]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[JoshLove-msft]

Including the supplementary token is a requirement of the service. Adding Service Attention.

[github-actions[bot]]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @shankarsama @DorothySun216 @EldertGrootenboer @saglodha.

[JoshLove-msft]

This came up here as well - https://github.com/Azure/azure-sdk-for-net/issues/21226

[EldertGrootenboer]

@meberg Thank you for your feedback. To do further investigation on this, we would like to ask you to provide a sample that will repro this. We will then assign an engineer to look into this, and update this thread with our findings.

[meberg]

@EldertGrootenboer Here is a repro, I'm using the same versions as stated above (1.10.3 and 7.16.2).

using Azure.Identity;
using Azure.Messaging.ServiceBus.Administration;

namespace DefaultAzureCredentialServiceBus
{
    internal class Program
    {
        private const string TopicName = "atesttopic";
        private const string QueueName = "atestqueue";
        private const string SubscriptionName = "atestsubscription";
        private const string MyFullyQualifiedNamespace = "my-sbns.servicebus.windows.net";

        private static DefaultAzureCredential _defaultAzureCredential = GetDefaultAzureCredential();

        private static async Task Main(string[] args)
        {
            // Create prerequisite resources
            var adminClient = new ServiceBusAdministrationClient(MyFullyQualifiedNamespace, _defaultAzureCredential);
            await adminClient.CreateTopicAsync(TopicName);
            await adminClient.CreateQueueAsync(QueueName);

            // Try to create subscription
            await CreateSubscriptionAsync();

            Console.WriteLine("Done");
        }

        private static async Task CreateSubscriptionAsync()
        {
            var adminClient = new ServiceBusAdministrationClient(MyFullyQualifiedNamespace, _defaultAzureCredential);

            var subscriptionOptions = new CreateSubscriptionOptions(TopicName, SubscriptionName);
            subscriptionOptions.ForwardTo = QueueName; // Setting "ForwardTo" results in "ServiceBusSupplementaryAuthorization"
                                                       // being provided which approx. doubles the request header size.

            try
            {
                Console.WriteLine("Attempting to create subscription with ForwardTo set, this will result in 400-error if the user is a member of too many AD-groups because the headers will become larger than 16 kB.");
                var result1 = await adminClient.CreateSubscriptionAsync(subscriptionOptions); // 400 The size of the request headers is too long.
            }
            catch (Exception e)
            {
                Console.WriteLine($"Caught exception {e.Message}");
                subscriptionOptions.ForwardTo = null; // Remove ForwardTo which results in the header "ServiceBusSupplementaryAuthorization" not being provided,
                                                      // which approx. halves the request header size since the token is only provided once in the HTTP-call.
                Console.WriteLine("Attempting to create subscription without ForwardTo set, this results in 200 OK.");
                var result2 = await adminClient.CreateSubscriptionAsync(subscriptionOptions); // 200 OK
            }
        }

        private static DefaultAzureCredential GetDefaultAzureCredential()
        {
            var options = new DefaultAzureCredentialOptions()
            {
                ExcludeEnvironmentCredential = true,
                ExcludeManagedIdentityCredential = true,
                ExcludeVisualStudioCodeCredential = true,
                ExcludeVisualStudioCredential = false,
                ExcludeWorkloadIdentityCredential = true,

                ExcludeAzureCliCredential = true,
                ExcludeAzureDeveloperCliCredential = true,
                ExcludeAzurePowerShellCredential = true,
                ExcludeInteractiveBrowserCredential = true,
                ExcludeSharedTokenCacheCredential = true
            };

            return new DefaultAzureCredential(options);
        }
    }
}

[meberg]

Any updates on this @EldertGrootenboer?

[EldertGrootenboer]

@meberg We don't have any updates yet, once we do we will share them with this thread.

[EldertGrootenboer]

Thank you for your feedback on this issue. We are investigating this item, once we have more details to share we will update this thread.