[keycloak-dev] Access Token getting truncated when apache HTTPD is in front
Pharande Rahul
rahul.pharande at gi-de.com
Tue Nov 7 08:11:38 EST 2017
Hello Team,
I'm facing issue of "Access Token getting truncated when apache HTTPD is in front".
Though this issue is not directly associated/related to Keycloak but in combination with Apache HTTPD + Keycloak, I would like to take help from experts here :)
Below are more details on same.
Environnent :
o Server : Keycloak v3.x
o Proxy server : Apache HTTPD 2.4.x
o Client: Angular2 application using OIDC library.
Issue Description / Steps to reproduce:
* Create realm in Keycloak
* Create client for realm along with redirect url etc.
* Create ~70 role/permissions for client with longer names ~25 characters in permission name.
* Create user and assign all above permissions for newly created client.
* Access Angular2 application running in browser, and for protected resources Keycloak login page displayed where redirect_uri parameter is given/supplied.
* After entering valid user credentials, keycloak redirects to Application's redirect URL
* However error shown on browser console that, "failed at_hash".
o This is because incomplete/truncated token returned and OIDC client library in Angular application tries to validate token received.
Important point here:
* Defect mentioned only occurs when Apache is in front and used as proxy/load balancer server.
My analysis:
* As per my analysis, I see Keycloak returns access_token information in response header during redirect
* Apache has restriction of handling response header or cookies of size upto 8k
* Even after setting, various parameters in Apache HTTPD like - "LimitRequestFieldSize", "LimitRequestLine" we are still getting this error.
Please let me know if anyone already experienced such issue OR has any alternative on using/configuring Keycloak to redirect using part response..
Thanks and Regards.
Rahul Pharande
More information about the keycloak-dev
mailing list