[keycloak-dev] Access Token getting truncated when apache HTTPD is in front

Pharande Rahul rahul.pharande at gi-de.com
Tue Nov 7 08:11:38 EST 2017


Hello Team,

I'm facing issue of "Access Token getting truncated when apache HTTPD is in front".
Though this issue is not directly associated/related to Keycloak but in combination with Apache HTTPD + Keycloak, I would like to take help from experts here :)

Below are more details on same.

Environnent :

o   Server : Keycloak v3.x

o   Proxy server :    Apache HTTPD 2.4.x

o   Client: Angular2 application using OIDC library.

Issue Description / Steps to reproduce:

*         Create realm in Keycloak

*         Create client for realm along with redirect url etc.

*         Create ~70 role/permissions for client with longer names ~25 characters in permission name.

*         Create user and assign all above permissions for newly created client.

*         Access Angular2 application running in browser, and for protected resources Keycloak login page displayed where redirect_uri parameter is given/supplied.

*         After entering valid user credentials, keycloak redirects to Application's redirect URL

*         However error shown on browser console that, "failed at_hash".

o   This is because incomplete/truncated token returned and OIDC client library in Angular application tries to validate token received.
Important point here:

*         Defect mentioned only occurs when Apache is in front and used as proxy/load balancer server.

My analysis:

*         As per my analysis, I see Keycloak returns access_token information in response header during redirect

*         Apache has restriction of handling response header  or cookies of size upto 8k

*         Even after setting, various parameters in Apache HTTPD like - "LimitRequestFieldSize", "LimitRequestLine" we are still getting this error.


Please let me know if anyone already experienced such issue OR has any alternative on using/configuring Keycloak to redirect using part response..

Thanks and Regards.
Rahul Pharande



More information about the keycloak-dev mailing list