7:11 a.m.
Hello Team,
I'm facing issue of "Access Token getting truncated when apache HTTPD is in
front".
Though this issue is not directly associated/related to Keycloak but in combination with
Apache HTTPD + Keycloak, I would like to take help from experts here :)
Below are more details on same.
Environnent :
o Server : Keycloak v3.x
o Proxy server : Apache HTTPD 2.4.x
o Client: Angular2 application using OIDC library.
Issue Description / Steps to reproduce:
* Create realm in Keycloak
* Create client for realm along with redirect url etc.
* Create ~70 role/permissions for client with longer names ~25 characters in
permission name.
* Create user and assign all above permissions for newly created client.
* Access Angular2 application running in browser, and for protected resources
Keycloak login page displayed where redirect_uri parameter is given/supplied.
* After entering valid user credentials, keycloak redirects to Application's
redirect URL
* However error shown on browser console that, "failed at_hash".
o This is because incomplete/truncated token returned and OIDC client library in Angular
application tries to validate token received.
Important point here:
* Defect mentioned only occurs when Apache is in front and used as proxy/load
balancer server.
My analysis:
* As per my analysis, I see Keycloak returns access_token information in response
header during redirect
* Apache has restriction of handling response header or cookies of size upto 8k
* Even after setting, various parameters in Apache HTTPD like -
"LimitRequestFieldSize", "LimitRequestLine" we are still getting this
error.
Please let me know if anyone already experienced such issue OR has any alternative on
using/configuring Keycloak to redirect using part response..
Thanks and Regards.
Rahul Pharande
9:24 a.m.
If you increased LimitRequestFieldSize to more than the actual size of the
header, then this error should be gone or you should be getting a different
error. Unless you have another proxy / load balancer in front of your
Apache, or between Apache and Keycloak.
I'd do a little test using curl, setting a header of large length, and
tcpdump on Keycloak host to make sure header gets through.
On Tue, Nov 7, 2017 at 1:11 PM, Pharande Rahul <rahul.pharande(a)gi-de.com>
wrote:
Hello Team,
I'm facing issue of "Access Token getting truncated when apache HTTPD is
in front".
Though this issue is not directly associated/related to Keycloak but in
combination with Apache HTTPD + Keycloak, I would like to take help from
experts here :)
Below are more details on same.
Environnent :
o Server : Keycloak v3.x
o Proxy server : Apache HTTPD 2.4.x
o Client: Angular2 application using OIDC library.
Issue Description / Steps to reproduce:
* Create realm in Keycloak
* Create client for realm along with redirect url etc.
* Create ~70 role/permissions for client with longer names ~25
characters in permission name.
* Create user and assign all above permissions for newly created
client.
* Access Angular2 application running in browser, and for
protected resources Keycloak login page displayed where redirect_uri
parameter is given/supplied.
* After entering valid user credentials, keycloak redirects to
Application's redirect URL
* However error shown on browser console that, "failed at_hash".
o This is because incomplete/truncated token returned and OIDC client
library in Angular application tries to validate token received.
Important point here:
* Defect mentioned only occurs when Apache is in front and used as
proxy/load balancer server.
My analysis:
* As per my analysis, I see Keycloak returns access_token
information in response header during redirect
* Apache has restriction of handling response header or cookies
of size upto 8k
* Even after setting, various parameters in Apache HTTPD like -
"LimitRequestFieldSize", "LimitRequestLine" we are still getting this
error.
Please let me know if anyone already experienced such issue OR has any
alternative on using/configuring Keycloak to redirect using part response..
Thanks and Regards.
Rahul Pharande
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:40 a.m.
And please use keycloak-user mailing list for questions like this.
On Tue, Nov 7, 2017 at 3:24 PM, Marko Strukelj <mstrukel(a)redhat.com> wrote:
If you increased LimitRequestFieldSize to more than the actual size
of the
header, then this error should be gone or you should be getting a different
error. Unless you have another proxy / load balancer in front of your
Apache, or between Apache and Keycloak.
I'd do a little test using curl, setting a header of large length, and
tcpdump on Keycloak host to make sure header gets through.
On Tue, Nov 7, 2017 at 1:11 PM, Pharande Rahul <rahul.pharande(a)gi-de.com>
wrote:
> Hello Team,
>
> I'm facing issue of "Access Token getting truncated when apache HTTPD is
> in front".
> Though this issue is not directly associated/related to Keycloak but in
> combination with Apache HTTPD + Keycloak, I would like to take help from
> experts here :)
>
> Below are more details on same.
>
> Environnent :
>
> o Server : Keycloak v3.x
>
> o Proxy server : Apache HTTPD 2.4.x
>
> o Client: Angular2 application using OIDC library.
>
> Issue Description / Steps to reproduce:
>
> * Create realm in Keycloak
>
> * Create client for realm along with redirect url etc.
>
> * Create ~70 role/permissions for client with longer names ~25
> characters in permission name.
>
> * Create user and assign all above permissions for newly created
> client.
>
> * Access Angular2 application running in browser, and for
> protected resources Keycloak login page displayed where redirect_uri
> parameter is given/supplied.
>
> * After entering valid user credentials, keycloak redirects to
> Application's redirect URL
>
> * However error shown on browser console that, "failed at_hash".
>
> o This is because incomplete/truncated token returned and OIDC client
> library in Angular application tries to validate token received.
> Important point here:
>
> * Defect mentioned only occurs when Apache is in front and used
> as proxy/load balancer server.
>
> My analysis:
>
> * As per my analysis, I see Keycloak returns access_token
> information in response header during redirect
>
> * Apache has restriction of handling response header or cookies
> of size upto 8k
>
> * Even after setting, various parameters in Apache HTTPD like -
> "LimitRequestFieldSize", "LimitRequestLine" we are still getting
this error.
>
>
> Please let me know if anyone already experienced such issue OR has any
> alternative on using/configuring Keycloak to redirect using part response..
>
> Thanks and Regards.
> Rahul Pharande
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
10:47 p.m.
Hi Marko,
Thanks for quick reply. I already tried setting LimitRequestFieldSize already with very
large value but didn’t help.
Looking forward for your test results.
Thanks and Regards.
Rahul Pharande
From: Marko Strukelj [mailto:mstrukel@redhat.com]
Sent: Tuesday, November 07, 2017 8:55 PM
To: Pharande Rahul
Cc: keycloak-dev(a)lists.jboss.org
Subject: Re: [keycloak-dev] Access Token getting truncated when apache HTTPD is in front
If you increased LimitRequestFieldSize to more than the actual size of the header, then
this error should be gone or you should be getting a different error. Unless you have
another proxy / load balancer in front of your Apache, or between Apache and Keycloak.
I'd do a little test using curl, setting a header of large length, and tcpdump on
Keycloak host to make sure header gets through.
On Tue, Nov 7, 2017 at 1:11 PM, Pharande Rahul
<rahul.pharande@gi-de.com<mailto:rahul.pharande@gi-de.com>> wrote:
Hello Team,
I'm facing issue of "Access Token getting truncated when apache HTTPD is in
front".
Though this issue is not directly associated/related to Keycloak but in combination with
Apache HTTPD + Keycloak, I would like to take help from experts here :)
Below are more details on same.
Environnent :
o Server : Keycloak v3.x
o Proxy server : Apache HTTPD 2.4.x
o Client: Angular2 application using OIDC library.
Issue Description / Steps to reproduce:
* Create realm in Keycloak
* Create client for realm along with redirect url etc.
* Create ~70 role/permissions for client with longer names ~25 characters in
permission name.
* Create user and assign all above permissions for newly created client.
* Access Angular2 application running in browser, and for protected resources
Keycloak login page displayed where redirect_uri parameter is given/supplied.
* After entering valid user credentials, keycloak redirects to Application's
redirect URL
* However error shown on browser console that, "failed at_hash".
o This is because incomplete/truncated token returned and OIDC client library in Angular
application tries to validate token received.
Important point here:
* Defect mentioned only occurs when Apache is in front and used as proxy/load
balancer server.
My analysis:
* As per my analysis, I see Keycloak returns access_token information in response
header during redirect
* Apache has restriction of handling response header or cookies of size upto 8k
* Even after setting, various parameters in Apache HTTPD like -
"LimitRequestFieldSize", "LimitRequestLine" we are still getting this
error.
Please let me know if anyone already experienced such issue OR has any alternative on
using/configuring Keycloak to redirect using part response..
Thanks and Regards.
Rahul Pharande
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2605
days inactive
2606
days old
3 comments
2 participants
participants (2)
-
Marko Strukelj -
Pharande Rahul