Frame too large error when using a large JWT token

[alexandernajafi]

Describe the bug

Adding a lot of different permissions for RabbitMQ to a user causes the JWT token to grow quite a lot. When a large token is sent to RabbitMQ (more than 4096 chars) an error occurs and the authentication fails

closing AMQP connection <0.5765.0> (xx.xx.xx.xx:38158 -> xx.xx.xx.xx:5672):
{handshake_error,starting,0,
                 {amqp_error,frame_error,
                             "type 1, all octets = <<>>: {frame_too_large,4776,4088}",
                             none}}

It seems like if you increase the initial_frame_max setting, a larger token is allowed.

Is this an expected behaviour? And what are your recommendations on choosing a value for initial_frame_max? Maybe the documentation should be updated.

Reproduction steps

1. Launch Keycloak and Rabbit MQ according to your guide
2. Create a user and add 200 roles with UUIDs as names
3. Create a token and try to use it for authentication in RabbitMQ

Expected behavior

Authentication is successful

Additional context

No response

[MarcialRosales]

It is not a bug. It is working as designed. AMQP protocol defines a maximum frame size. Typically, 4096 (initial_frame_max) bytes is more than sufficient for the the SASL negotiation frame, which carries the credentials. In this case, your token exceeds it and you need to configure RabbitMQ to accommodate your requirements.

We had a similar issue in the management ui which was solved after the management ui stopped using cookies to store credentials. Cookies had also a limit of 4096 which cannot be exceeded.