[keycloak-dev] Sticky sessions in backchannel requests

Bill Burke bburke at redhat.com
Fri May 19 10:31:47 EDT 2017

On 5/19/17 10:29 AM, Marek Posolda wrote:
> On 19/05/17 15:21, Bill Burke wrote:
>> This issue comes up in:
>> * code to token
>> * refresh token
>> * backchannel logout
>> * access token validation (bearer token authentication)
>> * Authorization and RPT
>> * Token exchange
>> Any others?
>> We need to get on OIDC lists and discuss these types of issues so that
>> they can get standardized.
> Good point. I can try to start discussion there.
>> Other thoughts:
>> * What if you talk to the node directly by providing a URL claim in the
>> token or code? The issue with that is that since we derive a lot of
>> things from the hostname of the request, we will need the ability to
>> override this.
> You mean to bypass loadbalancer entirely and let the application talk 
> to the backend node directly?
> Besides the hostname issue, there is another one, that backend node 
> may not be directly available. Those are typically on private networks 
> and it can be different private network that application is using. 
> That was the case for example in RedHat IT environment.
> BTV. We already had similar possibility in adapter to directly talk to 
> backend node in backchannel requests. Instead of lookup the backend 
> node URL from claim, we had the option in adapter configuration 
> "auth-server-url-for-backend-requests" . But the option was removed 
> due those issues like hostname, verifications of "iss" claim in tokens 
> etc.

Backchannel sticky session becomes quite difficult if you can't talk to 
node directly. Adapter will have to know to set a cookie that the 
loadbalancer can handle.  If the load balancer is using client IP to 
loadbalance, then you are SOL.


More information about the keycloak-dev mailing list