And please use keycloak-user mailing list for questions like this.
On Tue, Nov 7, 2017 at 3:24 PM, Marko Strukelj <mstrukel(a)redhat.com> wrote:
If you increased LimitRequestFieldSize to more than the actual size
of the
header, then this error should be gone or you should be getting a different
error. Unless you have another proxy / load balancer in front of your
Apache, or between Apache and Keycloak.
I'd do a little test using curl, setting a header of large length, and
tcpdump on Keycloak host to make sure header gets through.
On Tue, Nov 7, 2017 at 1:11 PM, Pharande Rahul <rahul.pharande(a)gi-de.com>
wrote:
> Hello Team,
>
> I'm facing issue of "Access Token getting truncated when apache HTTPD is
> in front".
> Though this issue is not directly associated/related to Keycloak but in
> combination with Apache HTTPD + Keycloak, I would like to take help from
> experts here :)
>
> Below are more details on same.
>
> Environnent :
>
> o Server : Keycloak v3.x
>
> o Proxy server : Apache HTTPD 2.4.x
>
> o Client: Angular2 application using OIDC library.
>
> Issue Description / Steps to reproduce:
>
> * Create realm in Keycloak
>
> * Create client for realm along with redirect url etc.
>
> * Create ~70 role/permissions for client with longer names ~25
> characters in permission name.
>
> * Create user and assign all above permissions for newly created
> client.
>
> * Access Angular2 application running in browser, and for
> protected resources Keycloak login page displayed where redirect_uri
> parameter is given/supplied.
>
> * After entering valid user credentials, keycloak redirects to
> Application's redirect URL
>
> * However error shown on browser console that, "failed at_hash".
>
> o This is because incomplete/truncated token returned and OIDC client
> library in Angular application tries to validate token received.
> Important point here:
>
> * Defect mentioned only occurs when Apache is in front and used
> as proxy/load balancer server.
>
> My analysis:
>
> * As per my analysis, I see Keycloak returns access_token
> information in response header during redirect
>
> * Apache has restriction of handling response header or cookies
> of size upto 8k
>
> * Even after setting, various parameters in Apache HTTPD like -
> "LimitRequestFieldSize", "LimitRequestLine" we are still getting
this error.
>
>
> Please let me know if anyone already experienced such issue OR has any
> alternative on using/configuring Keycloak to redirect using part response..
>
> Thanks and Regards.
> Rahul Pharande
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>