WAF Configuration

Web application firewalls can trigger false positives when used with Haventec OIDC Landing Page or Keycloak IAM. You may need to configure WAF exclusions when using these applications.

AWS WAF

The Core Rule Set managed rule group in AWS WAF includes the following potential false positives.

GenericRFI_QUERYARGUMENTS

This rule triggers on the redirect_uri request parameter used by the OIDC Landing Page, and should be disabled.

EC2MetaDataSSRF_QUERYARGUMENTS

This rule can also trigger on the redirect_uri request parameter when the URI uses localhost as the domain. Consider disabling this rule in non-production environments, for example to enable testing with a local Keycloak IAM instance.

GenericRFI_BODY

This rule can be triggered by URIs in the request body when configuring identity providers and other resources in Keycloak IAM. Disable this rule if administrators access Keycloak through the WAF.

EC2MetaDataSSRF_BODY

This rule can be triggered by URIs in the request body that use localhost as the domain. Consider disabling this rule in non-production environments when configuring Keycloak with loal endpoints.