m4dm4rtig4n opened a new issue, #2415:
URL: https://github.com/apache/apisix-ingress-controller/issues/2415
### Issue description
## Description
When attempting to authenticate via Keycloak (OIDC), the system returns a
**431 - Request Header Fields Too Large** error, blocking access to the backend
service.
---
## Symptoms
* Users are redirected to Keycloak for login
* After successful login, redirect back to the service fails with:
```
HTTP/1.1 431 Request Header Fields Too Large
```
* The protected service remains inaccessible
---
## Suspected Causes
* Header size exceeds buffer limits in APISIX/NGINX
* Possible contributing factors:
* Too many cookies from Keycloak
* Oversized `id_token` or `access_token`
* Repeated redirections increasing header size
---
## Actions Taken
* Increased buffer settings in APISIX:
```yaml
client_header_buffer_size: 16k
large_client_header_buffers:
- 4
- 64k
```
> No noticeable improvement
---
## Next Steps
* [ ] Confirm total request header size during failure
* [ ] Enable full request header logging in APISIX
* [ ] Test `bearer_only: true` mode in plugin config
* [ ] Minimize Keycloak token size by adjusting scope/claims
---
## Logs & Config
Please attach:
* Relevant APISIX logs
* OIDC plugin configuration snippet
### Environment
* **Reverse proxy:** APISIX
* **Authentication provider:** Keycloak v24.0.4
* **Deployment:** Kubernetes + Helm
* **Ingress:** APISIX Ingress Controller with `openid-connect` plugin
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
