This repository has been archived by the owner on Dec 7, 2020. It is now read-only.
431 Request header too large error when accessing protected resource #652
Comments
|
That is not a real issue of the Louketo-proxy. It is a problem of: OR 2.) Infrastructure admin - why infrastructure (in your case is probably nginx ingress) is not prepared for that request header sizes, when you want to use them. |
|
Thank you for your help - turning off the full scope in keycloak has resolved my issue. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Title
431 Request header too large error when accessing protected resource
Summary
We have a few websites in a kubernetes cluster configured behind Keycloak Gatekeeper. The sites work for most people where the number of keycloak roles they have is small. As an admin or where people have a larger number of roles, the sites are not accessible due to a 431 error (Request Header Fields Too Large).
Environment
We are using 8.0.1 (git+sha: 4788367, built: 02-12-2019)
Keycloak version is 8.0.2
Expected Results
Regardless of how many roles a user has, they should be able to access the site
Actual Results
Number of roles affects the request header limit and those with a larger number are blocked
Steps to reproduce
Login to site using an admin user and a less priviledged user
The admin will fail with a 431 error, and the less priviledged user successfully loads the site
Additional Information
I believe I have successfully tested accessing the app directly and also through nginx without keycloak gatekeeper using the same headers that do not work when I try incorporate the gatekeeper image. All the logs and tests suggest that the problem lies with the keycloak-gatekeeper.
This is the log output I get when accessing the site with an admin user
{"level":"debug","ts":1593185076.7279189,"caller":"keycloak-gatekeeper/middleware.go:367","msg":"access permitted to resource","access":"permitted","email":"xxx","expires":3599.272081688,"resource":"/*"}
{"level":"info","ts":1593185076.7313688,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.003818838,"status":431,"bytes":0,"client_ip":"127.0.0.1:34960","method":"GET","path":"/"}
This is the log output I get when accessing the site with a lot fewer roles
{"level":"debug","ts":1593185539.1362739,"caller":"keycloak-gatekeeper/middleware.go:367","msg":"access permitted to resource","access":"permitted","email":"xxx","expires":3597.863726564,"resource":"/"}
{"level":"debug","ts":1593185539.1366208,"caller":"keycloak-gatekeeper/session.go:51","msg":"found the user identity","id":"xxx","name":"xxx","email":"xxx","roles":"xxx","groups":""}
{"level":"debug","ts":1593185539.1367803,"caller":"keycloak-gatekeeper/middleware.go:367","msg":"access permitted to resource","access":"permitted","email":"xxx","expires":3597.863220356,"resource":"/"}
{"level":"info","ts":1593185539.140711,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.004726859,"status":200,"bytes":6318,"client_ip":"127.0.0.1:44010","method":"GET","path":"/images/favicon.ico"}
These are some articles I found
https://issues.redhat.com/browse/KEYCLOAK-3067?page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel
kubernetes/ingress-nginx#4593
https://stackoverflow.com/questions/56796481/nginx-431-request-header-fields-too-large
The text was updated successfully, but these errors were encountered: