[keycloak-dev] sticky sessions
Stian Thorgersen
sthorger at redhat.com
Wed Dec 2 09:55:38 EST 2015
Adding callback URI to the token would also make it very Keycloak specific.
So it would only work for Keycloak adapters.
On 2 December 2015 at 15:50, Marek Posolda <mposolda at redhat.com> wrote:
> Not sure if callback URI will work, because application may be able to
> see just the loadbalancer node and underlying cluster nodes might be
> hidden from it.
>
> For example if you have callback URI like
> http://node1:8080/auth/.../token, application may not be able to
> directly access host "node1" because it's hidden and application can
> access just http://loadbalancer:8080 .
>
> Marek
>
> On 02/12/15 15:34, Bill Burke wrote:
> > IMO, we need to highlight and document that when using a load balancer
> > in a cluster, sticky sessions should be enabled. We might even want to
> > consider adding support for sticky sessions for the code2token flow.
> > The obvious reason is performance. Login can span multiple HTTP
> > requests. If you have N nodes in the cluster with no clustering you
> > have the possibility of the same user being retrieved from the database
> > N times. One time for each authentication request (username/password,
> > OTP page, required actions) and finally for the code 2 token request.
> > Until I look into fixing it the auth SPI does a few extra redirects
> > right now too.
> >
> > Code 2 token could simply have a callback URI so that the code 2 token
> > request hits the same machine the code was created on.
> >
> >
> >
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151202/fac3ba97/attachment.html
More information about the keycloak-dev
mailing list