From 815c7f7ae6e1db872dc1254482052d313b5105ea Mon Sep 17 00:00:00 2001 From: Bruno Oliveira da Silva Date: Fri, 14 Dec 2018 08:35:52 -0200 Subject: [PATCH] [KEYCLOAK-9016] Document the client mapper to make use of Gatekeeper with the latest Keycloak releases --- securing_apps/topics/oidc/keycloak-gatekeeper.adoc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/securing_apps/topics/oidc/keycloak-gatekeeper.adoc b/securing_apps/topics/oidc/keycloak-gatekeeper.adoc index 72219540f8..f168fa3b51 100644 --- a/securing_apps/topics/oidc/keycloak-gatekeeper.adoc +++ b/securing_apps/topics/oidc/keycloak-gatekeeper.adoc @@ -493,4 +493,7 @@ Assuming `--enable-metrics` has been set, a Prometheus endpoint can be found on Keep in mind link:http://browsercookielimits.squawky.net/[browser cookie limits] if you use access or refresh tokens in the browser cookie. Keycloak-generic-adapter divides the cookie automatically if your cookie is longer than 4093 bytes. Real size of the cookie depends on the content of the issued access token. Also, encryption might add additional bytes to the cookie size. If you have large cookies (>200 KB), you might reach browser cookie limits. -All cookies are part of the header request, so you might find a problem with the max headers size limits in your infrastructure (some load balancers have very low this value, such as 8 KB). Be sure that all network devices have sufficient header size limits. Otherwise, your users won't be able to obtain an access token. \ No newline at end of file +All cookies are part of the header request, so you might find a problem with the max headers size limits in your infrastructure (some load balancers have very low this value, such as 8 KB). Be sure that all network devices have sufficient header size limits. Otherwise, your users won't be able to obtain an access token. + +==== Known Issues +* There is a known issue with the Keycloak server 4.7.0.Final in which Gatekeeper is unable to find the _client_id_ in the _aud_ claim. This is due to the fact the _client_id_ is not in the audience anymore. The workaround is to add the "Audience" protocol mapper to the client with the audience pointed to the _client_id_. For more information, see link:https://issues.jboss.org/browse/KEYCLOAK-8954[KEYCLOAK-8954].