[keycloak-dev] questions on Marek/Hynek presentation

Marek Posolda mposolda at redhat.com
Fri May 19 10:57:10 EDT 2017 

On 19/05/17 16:19, Bill Burke wrote:
> * Won't the regular case be that the load balancer generates the
> affinity cookie or doesn't have a cookie at all?  HA-Proxy is quite
> popular and they have both options.
Yes, that's also what Sebastien Schuster from community mentioned in 
other thread. That's why I've added StickySessionEncoderProvider as SPI, 
so it's easily possible to disable Keycloak adding route to the cookie, 
or sticky request based on something different than cookie (eg. path 
parameter).

However having Keycloak itself to choose the route has one big 
performance advantage, that it can route to the node, who is owner of 
the entry in the infinispan distributed cache. This includes also 
support for rebalance (owner may change when new node joins/leaves 
cluster, then you change route automatically). This is what Wildfly is 
doing for Http sessions too.

We discussed the integration with KeyAffinityService [1], which helps 
with usecase when loadbalancer generates route to the cookie. It ensures 
that generated session ID will be local to current node. Hence 
loadbalancer can use request node as the route and session will be local 
to it. But this doesn't handle rebalance, so IMO preferred option is 
still to let Keycloak to append route.

There is also infinispan grouping API I want to look at.

[1] 
http://infinispan.org/docs/stable/user_guide/user_guide.html#KeyAffinityService
> * @ 18:25 in bluejeans session, The "You are already logged in" screen.
> What happens when the use clicks "proceed"?  Does the SAML or OIDC
> request continue as normal? Or are you calculating the URI on the
> application to redirect to, if so, why?
No, this is just link to client base URI, and then new flow can be 
started from the application. ATM authenticationSession may be already 
removed as user logged already in different browser tab etc, so there is 
no flow to continue with.

Currently there is just userSession available and the client application 
used for "Back to application" is the last authenticated client in 
userSession. I am going to improve it and use "client_id" parameter in 
requests, so in case of expired session, already authentication session 
etc, you would always know the client from the "client_id" parameter. 
Details in the other ML thread "Provide a Link to go Back to The 
Application on a Timeout" .

Marek
>
> On Action Tokens:
>
>
> * What is the relationship between the RequiredAction SPI and
> ActionTokenHandler SPI?  Does every RequiredAction have to have a
> corresponding ActionTokenHandler?
>
> * Why would a app developer need to implement an ActionTokenHandler?
> Wouldn't it be better for the Required Action SPI to provide the
> appropriate metadata so that the handler could be implemented by us?
> i.e. isOneTimeToken, email-template, etc, etc.  I guess what I'm saying
> is that action tokens should be incorporated into the RequiredAction SPI.
>
> * Related to above.  Required actions should be able to specify an
> "admin console template" and "login template".  These would be the
> freemarker template to use to create the email that is sent to the
> user.  "admin console" would be from an admin generating the action.
> "login" would be when user login initiates the action email.
>
> * On the Admin Console "Credential Reset" section.  Required Action
> emails (now Action tokens) aren't necessarily "Credential Resets".
> Verify email is not a credential reset. etc. This need to be renamed and
> maybe put in another tab?
>
> * We will need a way to offload action processing to another external
> service.  keycloak exists to mark that the action was completed, but all
> the processing for the action happens in an external application.  A lot
> of people have existing applications they want to integrate with that
> perform action processing.  Just something to think about.  We need this
> for other areas of keycloak (i.e. registration).
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list