logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Other Software View previous topic :: View next topic
Reply to topic   Topic: Access Token getting truncated when apache HTTPD is in front
Author
asraf_apache



Joined: 09 Nov 2017
Posts: 1
Location: india,pune

PostPosted: Thu 09 Nov '17 10:51    Post subject: Access Token getting truncated when apache HTTPD is in front Reply with quote

I'm facing issue of "Access Token getting truncated when apache HTTPD is in front".
Though this issue is not directly associated/related to Keycloak but in combination with Apache HTTPD + Keycloak, I would like to take help from experts here Smile

Below are more details on same.

Environnent :

o Server : Keycloak v3.x
o Proxy server : Apache HTTPD 2.4.x
o Client: Angular2 application using OIDC library.

Issue Description / Steps to reproduce:

* Create realm in Keycloak
* Create client for realm along with redirect url etc.
* Create ~70 role/permissions for client with longer names ~25 characters in permission name.
* Create user and assign all above permissions for newly created client.
* Access Angular2 application running in browser, and for protected resources Keycloak login page displayed where redirect_uri parameter is given/supplied.
* After entering valid user credentials, keycloak redirects to Application's redirect URL
* However error shown on browser console that, "failed at_hash".

o2 This is because incomplete/truncated token returned and OIDC client library in Angular application tries to validate token received.
Important point here:

* Defect mentioned only occurs when Apache is in front and used as proxy/load balancer server.

My analysis:

* As per my analysis, I see Keycloak returns access_token information in response header during redirect
* Apache has restriction of handling response header or cookies of size upto 8k
* Even after setting, various parameters in Apache HTTPD like - "LimitRequestFieldSize", "LimitRequestLine" we are still getting this error.


Please let me know if anyone already experienced such issue OR has any alternative on using/configuring Keycloak to redirect using part response..


Thanks in Advance
Asraf Shaikh
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7360
Location: Germany, Next to Hamburg

PostPosted: Tue 21 Nov '17 17:37    Post subject: Reply with quote

If you don't pre-specify Content-length, Apache have to use chunked transfer .
The solution to your problem is to force Apache treat the request as HTTP/1.0 by setting downgrade-1.0 environment variable. The chunked Transfer-Encoding is a HTTP/1.1 feature, and Apache won't use it for HTTP/1.0 request.

E.g. here is how you could disable chunked responses for php files:

++++++++++++
apache.conf
++++++++++++

<Files *.php>
SetEnv downgrade-1.0
</Files>
Back to top


Reply to topic   Topic: Access Token getting truncated when apache HTTPD is in front View previous topic :: View next topic
Post new topic   Forum Index -> Other Software