[keycloak-user] Access Token getting truncated when apache HTTPD is in front

Pharande Rahul rahul.pharande at gi-de.com
Fri Nov 10 02:30:16 EST 2017 

Hi,

Any updates/hints on this issue?

Thanks
Rahul
-----Original Message-----
From: Shaikh Asrafali Anwarali 
Sent: Thursday, November 09, 2017 10:02 AM
To: stian at redhat.com; Pharande Rahul
Subject: RE: [keycloak-user] Access Token getting truncated when apache HTTPD is in front

Hi Stian,

Could you please share your views on the below issue, it's a blocker for us.
We have also posted this on keyclaok users forum, but we are still waiting for some kind of response.  

Scroll downwards for issue detail. 

Thanks in advance.

Regards,
Asraf Shaikh

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Pharande Rahul
Sent: Wednesday, November 08, 2017 4:50 PM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Access Token getting truncated when apache HTTPD is in front

Hello Team,

I'm facing issue of "Access Token getting truncated when apache HTTPD is in front".
Though this issue is not directly associated/related to Keycloak but in combination with Apache HTTPD + Keycloak, I would like to take help from experts here :)

Below are more details on same.

Environnent :

o   Server : Keycloak v3.x

o   Proxy server :    Apache HTTPD 2.4.x

o   Client: Angular2 application using OIDC library.

Issue Description / Steps to reproduce:

*         Create realm in Keycloak

*         Create client for realm along with redirect url etc.

*         Create ~70 role/permissions for client with longer names ~25 characters in permission name.

*         Create user and assign all above permissions for newly created client.

*         Access Angular2 application running in browser, and for protected resources Keycloak login page displayed where redirect_uri parameter is given/supplied.

*         After entering valid user credentials, keycloak redirects to Application's redirect URL

*         However error shown on browser console that, "failed at_hash".

o   This is because incomplete/truncated token returned and OIDC client library in Angular application tries to validate token received.
Important point here:

*         Defect mentioned only occurs when Apache is in front and used as proxy/load balancer server.

My analysis:

*         As per my analysis, I see Keycloak returns access_token information in response header during redirect

*         Apache has restriction of handling response header  or cookies of size upto 8k

*         Even after setting, various parameters in Apache HTTPD like - "LimitRequestFieldSize", "LimitRequestLine" we are still getting this error.


Please let me know if anyone already experienced such issue OR has any alternative on using/configuring Keycloak to redirect using part response..

Thanks and Regards.
Rahul Pharande

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list