[keycloak-dev] Access Token getting truncated when apache HTTPD is in front

Marko Strukelj mstrukel at redhat.com
Tue Nov 7 10:24:34 EST 2017 

If you increased LimitRequestFieldSize to more than the actual size of the
header, then this error should be gone or you should be getting a different
error. Unless you have another proxy / load balancer in front of your
Apache, or between Apache and Keycloak.

I'd do a little test using curl, setting a header of large length, and
tcpdump on Keycloak host to make sure header gets through.

On Tue, Nov 7, 2017 at 1:11 PM, Pharande Rahul <rahul.pharande at gi-de.com>
wrote:

> Hello Team,
>
> I'm facing issue of "Access Token getting truncated when apache HTTPD is
> in front".
> Though this issue is not directly associated/related to Keycloak but in
> combination with Apache HTTPD + Keycloak, I would like to take help from
> experts here :)
>
> Below are more details on same.
>
> Environnent :
>
> o   Server : Keycloak v3.x
>
> o   Proxy server :    Apache HTTPD 2.4.x
>
> o   Client: Angular2 application using OIDC library.
>
> Issue Description / Steps to reproduce:
>
> *         Create realm in Keycloak
>
> *         Create client for realm along with redirect url etc.
>
> *         Create ~70 role/permissions for client with longer names ~25
> characters in permission name.
>
> *         Create user and assign all above permissions for newly created
> client.
>
> *         Access Angular2 application running in browser, and for
> protected resources Keycloak login page displayed where redirect_uri
> parameter is given/supplied.
>
> *         After entering valid user credentials, keycloak redirects to
> Application's redirect URL
>
> *         However error shown on browser console that, "failed at_hash".
>
> o   This is because incomplete/truncated token returned and OIDC client
> library in Angular application tries to validate token received.
> Important point here:
>
> *         Defect mentioned only occurs when Apache is in front and used as
> proxy/load balancer server.
>
> My analysis:
>
> *         As per my analysis, I see Keycloak returns access_token
> information in response header during redirect
>
> *         Apache has restriction of handling response header  or cookies
> of size upto 8k
>
> *         Even after setting, various parameters in Apache HTTPD like -
> "LimitRequestFieldSize", "LimitRequestLine" we are still getting this error.
>
>
> Please let me know if anyone already experienced such issue OR has any
> alternative on using/configuring Keycloak to redirect using part response..
>
> Thanks and Regards.
> Rahul Pharande
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list