[keycloak-dev] Resolving of relative redirectUri in cluster
Stian Thorgersen
stian at redhat.com
Mon Sep 29 02:58:39 EDT 2014
To avoid sending all traffic through a proxy it would be better to either:
* Use round-robin DNS
* Use HTTP redirect from http://frontend:8080 to http://backend-node1:8080
However, neither what you propose or HTTP redirect would work with cookies. Round-robin DNS would though and IMO that's the cleanest way to do it.
----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Monday, 29 September, 2014 8:38:58 AM
> Subject: [keycloak-dev] Resolving of relative redirectUri in cluster
>
> I wonder if it's ok to add possibility to WildFly/AS7 adapter for
> alternative resolving of relative redirectUris. Currently it's always
> retrieved from HTTP request sent by browser (ie. with relative uri
> "/auth" and HTTP request is "http://localhost:8080/customer-portal" then
> adapter is able to resolve the URI to "http://localhost:8080/auth"). Is
> it ok to have possibility (perhaps boolean config option on adapter like
> "preserve-hostname") to resolve them from the actual hostname instead of
> browser request? Usually it's not much difference, but in cluster there
> might be scenario like:
> - Setup with loadbalancer on "http://frontend:8080" and 2 backend
> cluster nodes "http://backend-node1:8080" and "http://backend-node2:8080"
> - Then user filled login form. Now assume that request request with
> code+state is processed on
> "http://backend-node1:8080/customer-portal?code=...&state=..." . Now
> adapter sends codeToToken exchanging request to relative URI, which is
> resolved from browser to "http://frontend:8080". So adapter sends
> request to loadbalancer, which is then resended back to one of backend
> nodes. So 2 additional network hops needed.
>
> So when there is possibility to resolve relative URI from hostname, then
> backend-node1 will send exchanging request to itself instead of going
> through loadbalancer. In cluster it should help to save performance and
> reduce network communication.
>
> Note that this will be configurable and will be used by adapters just
> for backend requests (codeToToken, refresh token etc). All browser
> redirects will still need to go through loadbalancer IMO, in usual
> cluster environments are cluster nodes hidden in private network and URI
> like "http://backend-node1:8080/auth" may not be available for users.
>
> wdyt?
>
> Marek
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list