locked
OAuth2 Token Endpoint gives 500 Internal Server Error for chunked transfer encoding RRS feed

  • Question

  • Hi all,

    I'm adding a "Log in with Microsoft" feature to a web application, using the OAuth 2.0 Authorization Code Grant Flow as documented here [1].

    In Step 5 the web application exchanges an authorization code for an access token by sending an HTTP POST request to the token endpoint at https://login.live.com/oauth20_token.srf .  Despite following the documentation carefully, I kept getting a 500 Internal Server Error back at this step, with only the text "500 Internal Server Error" in the response body.

    After much trial and error, I discovered the problem is that the access token endpoint apparently does not support HTTP 1.1 "Transfer-Encoding: chunked".  I modified my client (Apache HTTP client in Java) to enable buffering of the request, thus disabling chunking, and this worked around the problem.

    Clearly this is a bug in the Windows Live OAuth2 implementation, as the HTTP spec requires [2] all HTTP servers to support chunked transfer encoding.  At the very least, if this is a known limitation of the server, it would be better if the token endpoint could respond with an error clearly stating that chunked transfer encoding is not supported, rather than a generic "500 Internal Server Error" with no hint as to what might be wrong.

    My first objective is to document this problem where other developers may see it when troubleshooting.  And my second is to ask if there is somewhere I can file a bug to get this fixed?  I couldn't find any information about a way to file a bug against the Windows Live Services.

    Thanks,
    Jesse

      [1] https://msdn.microsoft.com/en-us/library/hh243647.aspx#authcodegrant
      [2] https://tools.ietf.org/html/rfc7230#section-4.1

    Wednesday, June 3, 2015 9:00 PM