Resolving "Request URI Too Long (414)" Error During SSO Login

Applies to: Mattermost Server (all versions)

Symptoms: Users are unable to complete login via OAuth or SSO and receive an HTTP 414 error during the authentication callback.


🛑 Problem

Mattermost enforces a maximum allowed length for incoming request URLs via the ServiceSettings.MaximumURLLength configuration setting. As per official Mattermost documentation, the default value for this setting is 2048 characters.

During OAuth or SSO login, the callback URL (for example /signup/{provider}/complete?...) can exceed this limit due to a long code parameter and state and other authentication parameters appended by the identity provider.

When the incoming request URL exceeds this limit, Mattermost returns HTTP 414 and rejects the request before it reaches the OAuth handler. The completeOAuth function is never invoked, so no successful login attempt is recorded in the logs.

This issue can occur with any OAuth or SSO provider that generates large callback URLs. It is more commonly observed with Microsoft Entra ID due to the size of the authentication response.

To confirm this is the cause of the issue, verify all of the following:

  • The OAuth callback does not reach completeOAuth and Mattermost logs show no corresponding successful login attempts.
  • The callback URL length exceeds approximately 2048 characters.
  • Any reverse proxy in use has been confirmed not to be the limiting factor.

Symptoms

Users or administrators experiencing this issue will see:

URL is too long

Additional symptoms:

  • The 414 error occurs after the redirect from the identity provider, before the user reaches the Mattermost application.
  • Mattermost server logs contain no completeOAuth entries corresponding to the failed login attempts.
  • The issue persists after clearing browser cache and after testing in a private or incognito browser window.

âś… Solution

Increasing ServiceSettings.MaximumURLLength raises the application-level URL length cap so that OAuth and SSO callback URLs are accepted and processed by the OAuth handler.

This is an application-level limit and is not related to browser cache, cookies, or network edge and proxy layers (if those have already been validated).

Update the MaximumURLLength Setting in config.json

Locate your config.json file and update the MaximumURLLength value under ServiceSettings:

{
  "ServiceSettings": {
    "MaximumURLLength": 4096
  }
}

Recommended values:

  • 4096: sufficient for most environments.
  • 8192: use if additional headroom is needed for larger OAuth responses.

⚠️ Important: Avoid setting MaximumURLLength to an arbitrarily large value. Configure the minimum value that resolves the issue in your environment. Monitor OAuth callback URL sizes in environments using SSO to inform this value going forward.

Validate the Fix

After applying the change, confirm the following:

  • Users can complete the SSO login flow without a 414 error.
  • Mattermost server logs show completeOAuth entries confirming the OAuth flow reaches the handler.

Additional Resources

For more information, see:

ServiceSettings.MaximumURLLength — Mattermost Configuration Reference

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.