[keycloak-dev] Sticky sessions in backchannel requests
Bill Burke
bburke at redhat.com
Fri May 19 10:31:47 EDT 2017
On 5/19/17 10:29 AM, Marek Posolda wrote:
> On 19/05/17 15:21, Bill Burke wrote:
>> This issue comes up in:
>>
>> * code to token
>>
>> * refresh token
>>
>> * backchannel logout
>>
>> * access token validation (bearer token authentication)
>>
>> * Authorization and RPT
>>
>> * Token exchange
>>
>> Any others?
>>
>> We need to get on OIDC lists and discuss these types of issues so that
>> they can get standardized.
> Good point. I can try to start discussion there.
>>
>> Other thoughts:
>>
>> * What if you talk to the node directly by providing a URL claim in the
>> token or code? The issue with that is that since we derive a lot of
>> things from the hostname of the request, we will need the ability to
>> override this.
> You mean to bypass loadbalancer entirely and let the application talk
> to the backend node directly?
>
> Besides the hostname issue, there is another one, that backend node
> may not be directly available. Those are typically on private networks
> and it can be different private network that application is using.
> That was the case for example in RedHat IT environment.
>
> BTV. We already had similar possibility in adapter to directly talk to
> backend node in backchannel requests. Instead of lookup the backend
> node URL from claim, we had the option in adapter configuration
> "auth-server-url-for-backend-requests" . But the option was removed
> due those issues like hostname, verifications of "iss" claim in tokens
> etc.
>
Backchannel sticky session becomes quite difficult if you can't talk to
node directly. Adapter will have to know to set a cookie that the
loadbalancer can handle. If the load balancer is using client IP to
loadbalance, then you are SOL.
Bill
More information about the keycloak-dev
mailing list