[KEYCLOAK-9016] Document the client mapper to make use of Gatekeeper with the latest Keycloak releases

This commit is contained in:
Bruno Oliveira da Silva 2018-12-14 08:35:52 -02:00 committed by Matthew Helmke
parent 06854ceb06
commit 815c7f7ae6

View file

@ -494,3 +494,6 @@ Assuming `--enable-metrics` has been set, a Prometheus endpoint can be found on
Keep in mind link:http://browsercookielimits.squawky.net/[browser cookie limits] if you use access or refresh tokens in the browser cookie. Keycloak-generic-adapter divides the cookie automatically if your cookie is longer than 4093 bytes. Real size of the cookie depends on the content of the issued access token. Also, encryption might add additional bytes to the cookie size. If you have large cookies (>200 KB), you might reach browser cookie limits.
All cookies are part of the header request, so you might find a problem with the max headers size limits in your infrastructure (some load balancers have very low this value, such as 8 KB). Be sure that all network devices have sufficient header size limits. Otherwise, your users won't be able to obtain an access token.
==== Known Issues
* There is a known issue with the Keycloak server 4.7.0.Final in which Gatekeeper is unable to find the _client_id_ in the _aud_ claim. This is due to the fact the _client_id_ is not in the audience anymore. The workaround is to add the "Audience" protocol mapper to the client with the audience pointed to the _client_id_. For more information, see link:https://issues.jboss.org/browse/KEYCLOAK-8954[KEYCLOAK-8954].