Latest from the Blog
Keycloak S2S Verification with Postman and the aud Claim
In our previous post, we detailed why we moved away from legacy AD service users and adopted Keycloak’s Client Credentials Grant for secure Service-to-Service (S2S) authentication. We configured our Chat App Service (chat-app-service) to call the protected CRM API Gateway (crm-api-gateway), locking down access using the critical Audience (aud) claim. Now for the final, and most satisfying, step: Verification. We needed a standard, accessible tool to prove…
Secure Service-to-Service (S2S) Authentication in Microservices with Keycloak & Audience
Our Problem: The Fragility of Legacy S2S in a Microservices World For years, when we needed one application to talk to another via a REST API, the solution was straightforward: we’d create a dedicated Active Directory (AD) service user. This approach worked beautifully with our monolithic applications, especially those running on .NET Framework on IIS. The tight integration with Windows Authentication made it seamless. …
Keycloak: Fixing “400 Bad Request – Request Header or Cookie Too Large” for Users with Many AD Groups
Problem Description Users who are members of hundreds of Active Directory groups receive a “400 Bad Request – Request header or cookie too large” error when trying to authenticate to web applications through Keycloak using OIDC/Kerberos authentication. Root Cause When using Kerberos/SPNEGO authentication with Active Directory, the Kerberos authentication ticket contains ALL of the user’s…
Get new content delivered directly to your inbox.