[keycloak-dev] Access Token getting truncated when apache HTTPD is in front

Marko Strukelj mstrukel at redhat.com
Tue Nov 7 10:40:50 EST 2017 

And please use keycloak-user mailing list for questions like this.

On Tue, Nov 7, 2017 at 3:24 PM, Marko Strukelj <mstrukel at redhat.com> wrote:

> If you increased LimitRequestFieldSize to more than the actual size of the
> header, then this error should be gone or you should be getting a different
> error. Unless you have another proxy / load balancer in front of your
> Apache, or between Apache and Keycloak.
>
> I'd do a little test using curl, setting a header of large length, and
> tcpdump on Keycloak host to make sure header gets through.
>
> On Tue, Nov 7, 2017 at 1:11 PM, Pharande Rahul <rahul.pharande at gi-de.com>
> wrote:
>
>> Hello Team,
>>
>> I'm facing issue of "Access Token getting truncated when apache HTTPD is
>> in front".
>> Though this issue is not directly associated/related to Keycloak but in
>> combination with Apache HTTPD + Keycloak, I would like to take help from
>> experts here :)
>>
>> Below are more details on same.
>>
>> Environnent :
>>
>> o   Server : Keycloak v3.x
>>
>> o   Proxy server :    Apache HTTPD 2.4.x
>>
>> o   Client: Angular2 application using OIDC library.
>>
>> Issue Description / Steps to reproduce:
>>
>> *         Create realm in Keycloak
>>
>> *         Create client for realm along with redirect url etc.
>>
>> *         Create ~70 role/permissions for client with longer names ~25
>> characters in permission name.
>>
>> *         Create user and assign all above permissions for newly created
>> client.
>>
>> *         Access Angular2 application running in browser, and for
>> protected resources Keycloak login page displayed where redirect_uri
>> parameter is given/supplied.
>>
>> *         After entering valid user credentials, keycloak redirects to
>> Application's redirect URL
>>
>> *         However error shown on browser console that, "failed at_hash".
>>
>> o   This is because incomplete/truncated token returned and OIDC client
>> library in Angular application tries to validate token received.
>> Important point here:
>>
>> *         Defect mentioned only occurs when Apache is in front and used
>> as proxy/load balancer server.
>>
>> My analysis:
>>
>> *         As per my analysis, I see Keycloak returns access_token
>> information in response header during redirect
>>
>> *         Apache has restriction of handling response header  or cookies
>> of size upto 8k
>>
>> *         Even after setting, various parameters in Apache HTTPD like -
>> "LimitRequestFieldSize", "LimitRequestLine" we are still getting this error.
>>
>>
>> Please let me know if anyone already experienced such issue OR has any
>> alternative on using/configuring Keycloak to redirect using part response..
>>
>> Thanks and Regards.
>> Rahul Pharande
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>

More information about the keycloak-dev mailing list