jangaraj
commented
4 years ago That is not a real issue of the Louketo-proxy. It is a problem of: 1.) IDP admin - why token needs to contain many user roles, when only a few roles are used for authorization usually. Keycloak offers LDAP filtering, so IDP admin can limit number of roles in the token on the client level easily.
OR
2.) Infrastructure admin - why infrastructure (in your case is probably nginx ingress) is not prepared for that request header sizes, when you want to use them.
belindac-vd
Title
431 Request header too large error when accessing protected resource
Summary
We have a few websites in a kubernetes cluster configured behind Keycloak Gatekeeper. The sites work for most people where the number of keycloak roles they have is small. As an admin or where people have a larger number of roles, the sites are not accessible due to a 431 error (Request Header Fields Too Large).
Environment
We are using 8.0.1 (git+sha: 4788367, built: 02-12-2019) Keycloak version is 8.0.2
Expected Results
Regardless of how many roles a user has, they should be able to access the site
Actual Results
Number of roles affects the request header limit and those with a larger number are blocked
Steps to reproduce
Login to site using an admin user and a less priviledged user The admin will fail with a 431 error, and the less priviledged user successfully loads the site
Additional Information
I believe I have successfully tested accessing the app directly and also through nginx without keycloak gatekeeper using the same headers that do not work when I try incorporate the gatekeeper image. All the logs and tests suggest that the problem lies with the keycloak-gatekeeper.
This is the log output I get when accessing the site with an admin user
{"level":"debug","ts":1593185076.7279189,"caller":"keycloak-gatekeeper/middleware.go:367","msg":"access permitted to resource","access":"permitted","email":"xxx","expires":3599.272081688,"resource":"/*"} {"level":"info","ts":1593185076.7313688,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.003818838,"status":431,"bytes":0,"client_ip":"127.0.0.1:34960","method":"GET","path":"/"}
This is the log output I get when accessing the site with a lot fewer roles
{"level":"debug","ts":1593185539.1362739,"caller":"keycloak-gatekeeper/middleware.go:367","msg":"access permitted to resource","access":"permitted","email":"xxx","expires":3597.863726564,"resource":"/"} {"level":"debug","ts":1593185539.1366208,"caller":"keycloak-gatekeeper/session.go:51","msg":"found the user identity","id":"xxx","name":"xxx","email":"xxx","roles":"xxx","groups":""} {"level":"debug","ts":1593185539.1367803,"caller":"keycloak-gatekeeper/middleware.go:367","msg":"access permitted to resource","access":"permitted","email":"xxx","expires":3597.863220356,"resource":"/"} {"level":"info","ts":1593185539.140711,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.004726859,"status":200,"bytes":6318,"client_ip":"127.0.0.1:44010","method":"GET","path":"/images/favicon.ico"}
These are some articles I found https://issues.redhat.com/browse/KEYCLOAK-3067?page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel https://github.com/kubernetes/ingress-nginx/issues/4593 https://stackoverflow.com/questions/56796481/nginx-431-request-header-fields-too-large