[keycloak-dev] clustering Re: what's next for Alpha 3?
Bill Burke
bburke at redhat.com
Thu Feb 20 10:47:35 EST 2014
On 2/20/2014 4:36 AM, Marek Posolda wrote:
> Some possible features I can think of:
>
> -- Clustering support -- For example if I have load-balancer and two
> keycloak servers "kc1" and "kc2" and client application doesn't
> communicate directly with keycloak servers but it uses loadbalancer.
> Then login request could be redirected by loadbalancer to "kc1" where is
> created accessCode entry in TokenManager. But when client application
> sends another request to load-balancer for exchanging code for
> accessToken, it could be served by "kc2", which doesn't have this code
> entry --> error. I did not test this scenario, but I am assuming that it
> probably won't work due to this... Do we want to support this? I've also
> created JIRA https://issues.jboss.org/browse/KEYCLOAK-323 which could be
> related to this.
>
Clustering really f's up the oauth/openid flow. The only thing I could
think of was that the auth-code redirect URL could contain a signed URL
where the client goes to turn the code into a token. I was surprised, I
couldn't find anything in the OpenID Connect spec that covered this.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list