-
Notifications
You must be signed in to change notification settings - Fork 343
Large kc_access cookies appear to be improperly decoded prior to parsing #409
Comments
My PR: https://github.com/gambol99/keycloak-proxy/pull/279/files I'm not sure what is wrong here. |
My hypothesis could very well be incorrect, and I'm happy to accept that! Do you have another idea why malformed JWS errors would be produced, when the JWT token is confirmed valid? |
Config currently used:
|
Any middle box between browser and keycloak-proxy? I see k8s, so probably nginx is there and nginx doesn't have a good default configuration for large request headers (and you are sending quite huge cookies there). Try to check your middleboxes logs. Maybe some middle box is dropping/truncating cookies. Are the cookies stored correctly in the browser? |
I believe I've found the error. I just changed the k8s services to be of type LoadBalancer and hit the public IP address, this way the only middleman is Azure LB (which is only a layer 4 LB, so no limits on header/cookie sizes). I receive the same error. However, in checking chrome devtools, I receive the following warning:
Looks like the cookie is still too long. |
In piping the value of just the @jangaraj Would you be able to produce a test docker build that reduces the 4089 limit down to about 4000? |
Yes, that's a problem. I've used information from http://browsercookielimits.squawky.net/. |
Confirmed. Thanks to a well-made makefile, I was able to build, push an image to docker hub and pull it on a k8s cluster to test. I now have made it out of the redirect loop, and am forwarded on to the k8s dashboard. See #410 for a quick PR to address this. |
Not tested version - WIP: master...jangaraj:master @jcrowthe Could you test it, please? Relevant settings of
For the record,
Max cookie size - https://www.ietf.org/rfc/rfc2109.txt:
Constant |
@jcrowthe it seems like your issue was addressed in @jangaraj's PR. The repository keycloak-proxy was moved to Keycloak organization and renamed to keycloak-gatekeeper. If you still think this issue is valid, please read https://www.keycloak.org/community.html and report your bug/feature request to https://issues.jboss.org/browse/KEYCLOAK. |
I am looking to utilize keycloak-proxy with Azure AD using OIDC. It appears to be functional, with the expected JWT token being return to the keycloak-proxy, but I receive the following errors in redirect loop:
In taking a packet capture of keycloak-proxy (SSL offloaded previously), I receive the following (JWT obscured):
I can extract and concatenate the two
kc-access
values to produce a valid JWT token, including a vast number of groups (all of which are very long GUID's).The
malformed JWS, only [1|2] segments
appears to be originating from here. I believe there is some error in the concatenating code where the token is not being concatenated properly prior to being decoded with coreos/go-oidc.Any help here would be greatly appreciated!
The text was updated successfully, but these errors were encountered: