[keycloak-dev] Sticky sessions in backchannel requests
bburke at redhat.com
Fri May 19 10:31:47 EDT 2017
On 5/19/17 10:29 AM, Marek Posolda wrote:
> On 19/05/17 15:21, Bill Burke wrote:
>> This issue comes up in:
>> * code to token
>> * refresh token
>> * backchannel logout
>> * access token validation (bearer token authentication)
>> * Authorization and RPT
>> * Token exchange
>> Any others?
>> We need to get on OIDC lists and discuss these types of issues so that
>> they can get standardized.
> Good point. I can try to start discussion there.
>> Other thoughts:
>> * What if you talk to the node directly by providing a URL claim in the
>> token or code? The issue with that is that since we derive a lot of
>> things from the hostname of the request, we will need the ability to
>> override this.
> You mean to bypass loadbalancer entirely and let the application talk
> to the backend node directly?
> Besides the hostname issue, there is another one, that backend node
> may not be directly available. Those are typically on private networks
> and it can be different private network that application is using.
> That was the case for example in RedHat IT environment.
> BTV. We already had similar possibility in adapter to directly talk to
> backend node in backchannel requests. Instead of lookup the backend
> node URL from claim, we had the option in adapter configuration
> "auth-server-url-for-backend-requests" . But the option was removed
> due those issues like hostname, verifications of "iss" claim in tokens
Backchannel sticky session becomes quite difficult if you can't talk to
node directly. Adapter will have to know to set a cookie that the
loadbalancer can handle. If the load balancer is using client IP to
loadbalance, then you are SOL.
More information about the keycloak-dev