-
Notifications
You must be signed in to change notification settings - Fork 668
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
oauth2-token-introspection-oss - problem with long tokens #26
Comments
Thanks for reporting this. Will investigate. |
I've encountered another issue it seems that nginx also adds extra line breaks on the incoming, long access token. therefore although the newly generated oauth2 access token is still fresh and valid, the proxy_pass for _oauth2_send_introspection_request always returns
However, when the same access token is being used with PostMan to the samen introspect endpoint http://localhost:8080/auth/realms/dev/protocol/openid-connect/token/introspect, it has successfully retrieved info on the concerned subject. In order to further confirm this issue, I've explicitly added a new location on the same virtual host (127.0.0.1:9590) in nginx, which will proxy to the same endpoint for introspect, http://localhost:**8080**/auth/realms/dev/protocol/openid-connect/token/introspect
When I tried to post the same access token with PostMan to http://localhost:**9590**/auth/realms/dev/protocol/openid-connect/token/introspect, the same issue is reproduced. In order to investigate this issue, I've enabled io.undertow.server.handlers.RequestDumpingHandler with keycloak and found that nginx actually split the long access token into multiple lines (with extra line breaks), which has resulted in the active: false response from keycloak when introspect is being proxied to keycloak via nginx The following examples show how the post data respectively look like with POST proxied by nginx and the POST directly communicated with introspect with PostMan
|
@idavollen Can you share your nginx.conf, I use nginx/1.17.0 and njs 0.3.8. Cannot reproduce it. |
@xeioex I've fixed my issue by adding the following: |
You mean inside "/_oauth2_send_introspection_request" location, right? |
@xeioex I didn't explicitly turn it off. However, it works well after I added two lines inside _/oauth2_send_introspection_request
|
Thanks for response. Can you verify it again, please (by commenting out |
@xeioex |
Tested the example configuration and Nginx seems to cut off the end of the token sent for introspection to an OAuth server.
I enabled debug logging and can see that the JS script is calling /_oauth2_send_introspection_request with the full token in place. But when the request is sent to the OAuth server the content lenght is trimmed to 1263 characters instead of 1660 characters in the token.
The text was updated successfully, but these errors were encountered: