Hello Team,
I'm facing issue of "Access Token getting truncated when apache HTTPD is in
front".
Though this issue is not directly associated/related to Keycloak but in combination with
Apache HTTPD + Keycloak, I would like to take help from experts here :)
Below are more details on same.
Environnent :
o Server : Keycloak v3.x
o Proxy server : Apache HTTPD 2.4.x
o Client: Angular2 application using OIDC library.
Issue Description / Steps to reproduce:
* Create realm in Keycloak
* Create client for realm along with redirect url etc.
* Create ~70 role/permissions for client with longer names ~25 characters in
permission name.
* Create user and assign all above permissions for newly created client.
* Access Angular2 application running in browser, and for protected resources
Keycloak login page displayed where redirect_uri parameter is given/supplied.
* After entering valid user credentials, keycloak redirects to Application's
redirect URL
* However error shown on browser console that, "failed at_hash".
o This is because incomplete/truncated token returned and OIDC client library in Angular
application tries to validate token received.
Important point here:
* Defect mentioned only occurs when Apache is in front and used as proxy/load
balancer server.
My analysis:
* As per my analysis, I see Keycloak returns access_token information in response
header during redirect
* Apache has restriction of handling response header or cookies of size upto 8k
* Even after setting, various parameters in Apache HTTPD like -
"LimitRequestFieldSize", "LimitRequestLine" we are still getting this
error.
Please let me know if anyone already experienced such issue OR has any alternative on
using/configuring Keycloak to redirect using part response..
Thanks and Regards.
Rahul Pharande