m4dm4rtig4n opened a new issue, #12372:
URL: https://github.com/apache/apisix/issues/12372
### Current Behavior
### Issue description
When attempting to authenticate via Keycloak (OIDC), the system returns a
**431 - Request Header Fields Too Large** error, blocking access to the backend
service.
---
## Symptoms
* Users are redirected to Keycloak for login
* After successful login, redirect back to the service fails with:
```
HTTP/1.1 431 Request Header Fields Too Large
```
* The protected service remains inaccessible
---
## Suspected Causes
* Header size exceeds buffer limits in APISIX/NGINX
* Possible contributing factors:
* Too many cookies from Keycloak
* Oversized `id_token` or `access_token`
* Repeated redirections increasing header size
---
## Workaround Identified (but not clean)
* Tried removing cookies via `proxy-rewrite` plugin:
```yaml
- name: proxy-rewrite
config:
headers:
remove:
- Cookie
```
> This workaround reduces header size, but feels like a hack and may
introduce side effects. It does not seem like a clean or long-term solution.
🛠️ To support this workaround more cleanly, a GitHub issue has been opened
to allow cookie removal directly in the Ingress spec without using a plugin:
👉 https://github.com/apache/apisix-ingress-controller/issues/2414
---
## Actions Taken
* Increased buffer settings in APISIX:
```yaml
client_header_buffer_size: 16k
large_client_header_buffers:
- 4
- 64k
```
> No noticeable improvement
### Environment
* **Reverse proxy:** APISIX
* **Authentication provider:** Keycloak v24.0.4
* **Deployment:** Kubernetes + Helm
* **Ingress:** APISIX Ingress Controller with `openid-connect` plugin
### Expected Behavior
_No response_
### Error Logs
_No response_
### Steps to Reproduce
### Issue description
When attempting to authenticate via Keycloak (OIDC), the system returns a
**431 - Request Header Fields Too Large** error, blocking access to the backend
service.
---
## Symptoms
* Users are redirected to Keycloak for login
* After successful login, redirect back to the service fails with:
```
HTTP/1.1 431 Request Header Fields Too Large
```
* The protected service remains inaccessible
---
## Suspected Causes
* Header size exceeds buffer limits in APISIX/NGINX
* Possible contributing factors:
* Too many cookies from Keycloak
* Oversized `id_token` or `access_token`
* Repeated redirections increasing header size
---
## Workaround Identified (but not clean)
* Tried removing cookies via `proxy-rewrite` plugin:
```yaml
- name: proxy-rewrite
config:
headers:
remove:
- Cookie
```
> This workaround reduces header size, but feels like a hack and may
introduce side effects. It does not seem like a clean or long-term solution.
🛠️ To support this workaround more cleanly, a GitHub issue has been opened
to allow cookie removal directly in the Ingress spec without using a plugin:
👉 https://github.com/apache/apisix-ingress-controller/issues/2414
---
## Actions Taken
* Increased buffer settings in APISIX:
```yaml
client_header_buffer_size: 16k
large_client_header_buffers:
- 4
- 64k
```
> No noticeable improvement
### Environment
* **Reverse proxy:** APISIX
* **Authentication provider:** Keycloak v24.0.4
* **Deployment:** Kubernetes + Helm
* **Ingress:** APISIX Ingress Controller with `openid-connect` plugin
### Environment
- APISIX version (run `apisix version`):
- Operating system (run `uname -a`):
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`):
- etcd version, if relevant (run `curl
http://127.0.0.1:9090/v1/server_info`):
- APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run `luarocks --version`):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
