Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

AWS web application firewall blocks traffic from AM (All versions) causing authentication flows to fail

Last updated Dec 14, 2021

The purpose of this article is to provide assistance if you find the Amazon Web Services™ (AWS™) web application firewall (WAF) is blocking AM traffic and causing authentication flows to fail. This happens when you have enabled WAF rules for web request body inspection such as the SizeRestrictions_BODY rule.


1 reader recommends this article

Symptoms

Traffic from AM can be blocked by the AWS WAF, which will cause authentication flows to fail. You will encounter issues such as end users not being able to log in to AM-protected applications or OAuth2 grant flows failing when this happens. This may only affect some end users or applications, which may make it hard to diagnose.

The AM debug logs do not reveal why this is happening. You should check your firewall request logs to find out exactly which requests are being blocked.

If you examine network traffic using your browser's Developer Tools or capture a HAR file, you will notice the POST body size exceeds 8 KB as indicated by the Content-Length in the Request Header. 

You can capture a HAR file as described in: How do I create a HAR file for troubleshooting AM (All versions)?

Recent Changes

Implemented the AWS WAF.

Applied the AWS firewall Core rule set (CRS): AWSManagedRulesCommonRuleSet, which includes the SizeRestrictions_BODY rule.

Enabled WAF rules for web request body inspection.

Causes

The CRS includes the SizeRestrictions_BODY firewall rule, which blocks web requests with body payloads larger than 8 KB (8,192 bytes). Therefore, any web requests from AM (or any web application) that exceed this size restriction will fail because the firewall will block the request. AM requests can include things such as authentication journeys, OAuth2 flows and so on. 

AWS reduced this size restriction from 10 KB (10,240 bytes) on October 27, 2021, so web requests that succeeded before this date may now fail as a result.

Other rules that involve web request body inspection will also cause web requests to fail that have POST body payloads larger than 8 KB. See AWS WAF Web request body inspection for further information. 

Since the POST body includes everything in the request, the size will be determined by factors such as the following: 

  • The number of nodes in your authentication tree and the complexity of your journey because all callbacks are included in the POST body. Consider things such as:
    • The elements included in your page nodes such as input fields, links and so on.
    • Whether the Accept Terms and Conditions node is included in your tree which can pass lots of text.

See Supported Callbacks for further information on all the callbacks.

Solution

This issue can be resolved by reducing the size of the POST body for the failing web request(s) to less than 8 KB or implementing a custom rule set:

  • If you want to reduce the size of the POST body, you should examine what is being sent (use your browser's Developer Tools or capture a HAR file) and then make the necessary configuration changes to ensure you are only sending what is required to reduce the payload size.
  • If you want to implement a custom rule set, you should refer to the AWS documentation for further information: AWS WAF rules.
Note

Configuring firewalls and implementing custom rule sets is outside the scope of ForgeRock support; you should consult your firewall expert for guidance.

See Also

Ports Used

AWS WAF Baseline rule groups

AWS WAF Managed Rules changelog

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.