Web application firewalls can trigger false positives when used with Haventec OIDC Landing Page or Haventec IAM. You may need to configure WAF exclusions when using these applications.
The Core Rule Set managed rule group in AWS WAF includes the following potential false positives.
This rule triggers on the redirect_uri request parameter used by the OIDC Landing Page, and should be disabled.
This rule can also trigger on the redirect_uri request parameter when the URI uses localhost as the domain. Consider disabling this rule in non-production environments, for example to enable testing with a local Haventec IAM instance.
A false positive that can be caused by "/" characters in Base64 content. This rule should be disabled for both Haventec IAM and the OIDC Landing Page.
A false positive when using Haventec IAM with SAML, caused by URIs in the SigAlg parameter.
This rule can be triggered by URIs in the request body when configuring identity providers and other resources in Haventec IAM. Disable this rule if administrators access Keycloak through the WAF.
This rule can be triggered by URIs in the request body that use localhost as the domain. Consider disabling this rule in non-production environments when configuring Keycloak with loal endpoints.