Whoami request from admin console returns 401 when using Amazon Cloudfront

I am using Keycloak to secure applications deployed using CloudFoundry. In cloud I am using, Amazon CloudFront is used as load balancer. I don’t have control over it.
I have different deployments of Keycloak, on different environments eg. staging, production, development etc. All deployments are using the same scripts for installaction. Keycloak version is 4.8.3.Final.
On one environment, when I login to admin console, whoami request (/auth/admin/master/console/whoami) fails. However, when I open tunnel to server on which keycloak is running, I can login to admin console. Do you know anything about this issue?

Did you find any solution ? I have a HaProxy I can’t manage in front of my KeyCloak and got the same problem. I think there must be some weird option in haproxy which breaks something in Keycloak. I’ve tried a basic haproxy conf on another infrastructure and can’t reproduce the issue.

Update : I think I found something. Something in our network prevent HTTP Authorization Header from being longer than a certain size (let’s say 256 char). I have not found a way to shorten Keycloak tokens though.

It seems to be a configuration that deletes the Authorization header from cloudfront and sends it to the origin.
You need to add Authorization to Whitelist Headers in Cloudfront’s Behavior setting

Do you know which specific headers need to be whitelisted? I have tried

  • host
  • x-forwarded-for
  • x-forwarded-proto

but no success.