The AM debug logs do not reveal why this is happening. You should check your firewall request logs to find out exactly which requests are being blocked.
If you examine network traffic using your browser's Developer Tools or capture a HAR file, you will notice the POST body size exceeds 8 KB as indicated by the Content-Length in the Request Header.
You can capture a HAR file as described in: How do I create a HAR file for troubleshooting AM (All versions)?
Implemented the AWS WAF.
Applied the AWS firewall Core rule set (CRS): AWSManagedRulesCommonRuleSet, which includes the
Enabled WAF rules for web request body inspection.
The CRS includes the
SizeRestrictions_BODY firewall rule, which blocks web requests with body payloads larger than 8 KB (8,192 bytes). Therefore, any web requests from AM (or any web application) that exceed this size restriction will fail because the firewall will block the request. AM requests can include things such as authentication journeys, OAuth2 flows and so on.
AWS reduced this size restriction from 10 KB (10,240 bytes) on October 27, 2021, so web requests that succeeded before this date may now fail as a result.
Other rules that involve web request body inspection will also cause web requests to fail that have POST body payloads larger than 8 KB. See AWS WAF Web request body inspection for further information.
Since the POST body includes everything in the request, the size will be determined by factors such as the following:
- The number of nodes in your authentication tree and the complexity of your journey because all callbacks are included in the POST body. Consider things such as:
- The elements included in your page nodes such as input fields, links and so on.
- Whether the Accept Terms and Conditions node is included in your tree which can pass lots of text.
See Supported Callbacks for further information on all the callbacks.
- The JWT size if you are using client-based authentication sessions. See Choosing Where to Store Sessions for further information.
This issue can be resolved by reducing the size of the POST body for the failing web request(s) to less than 8 KB or implementing a custom rule set:
- If you want to reduce the size of the POST body, you should examine what is being sent (use your browser's Developer Tools or capture a HAR file) and then make the necessary configuration changes to ensure you are only sending what is required to reduce the payload size.
- If you want to implement a custom rule set, you should refer to the AWS documentation for further information: AWS WAF rules.
Configuring firewalls and implementing custom rule sets is outside the scope of ForgeRock support; you should consult your firewall expert for guidance.