I have an application registered in Microsoft Entra ID. The application is supposed to be used by a Daemon software to do administrative work in the MS Entra ID and corporate SharePoint, it is configured for "Application" type of API Permissions: Directory.ReadWrite.All and Sites.FullControl.All for Microsoft.Graph.
The app is configured for client credentials.
Then I use MS Graph API in my C# code with GraphServiceClient (NuGet: Microsoft.Graph 5.41.0) to make a request. Some pseudocode below.
ClientSecretCredential credential = new ClientSecretCredential(tenantID, clientID, clientSecret);
GraphServiceClient client = new GraphServiceClient(credential, new List<string>() { "https://graph.microsoft.com/.default" });
// Retrieving a list of SharePoint sites:
Microsoft.Graph.Sites.GetAllSites.GetAllSitesGetResponse? response = await graphServiceClient.Sites.GetAllSites.GetAsGetAllSitesGetResponseAsync();
I'm getting the error below:
Bad Request - Header Field Too Long
HTTP Error 400. A request header field is too long
Yes, I have checked that my access token for this tenant is 18 KB in size.
How would I approach solving this kind of issue. The error comes directly from MS Graph API.
Looking for online answers the only suggested solution is to reduce the API permissions. I'm not sure if that's something I could really do. It's a strange limit imposed on the Graph API call. There must be a workaround I suppose, otherwise how do I create a deamon application that would be accessing different types of data in MS Entra ID (like users, groups, apps, SharePoint Sites, etc.) and doing complex administrative tasks?
Any help would be greatly appreciated.
The occurrence of the "Bad Request - Header Field Too Long" error typically indicates that the size of the request header has surpassed the maximum allowable limit. This situation often arises when the access token's size exceeds the designated threshold. To address this issue, one viable solution involves employing a certificate in lieu of a client secret for application identification, a practice particularly recommended for production-grade applications. Alternatively, diminishing the number of API permissions can alleviate the problem. However, if reducing permissions is not feasible, one can attempt to mitigate the error by either segmenting the request into smaller portions or leveraging an alternative API endpoint that supports larger header sizes.
Refereneces: client-credential-flows#ensuring-high-availability-of-your-applications
authorization-request-denied-graph-api#authorization_requestdenied-error-when-you-try-to-change-a-password-using-graph-api