[keycloak-dev] questions on Marek/Hynek presentation
mposolda at redhat.com
Fri May 19 10:57:10 EDT 2017
On 19/05/17 16:19, Bill Burke wrote:
> * Won't the regular case be that the load balancer generates the
> affinity cookie or doesn't have a cookie at all? HA-Proxy is quite
> popular and they have both options.
Yes, that's also what Sebastien Schuster from community mentioned in
other thread. That's why I've added StickySessionEncoderProvider as SPI,
so it's easily possible to disable Keycloak adding route to the cookie,
or sticky request based on something different than cookie (eg. path
However having Keycloak itself to choose the route has one big
performance advantage, that it can route to the node, who is owner of
the entry in the infinispan distributed cache. This includes also
support for rebalance (owner may change when new node joins/leaves
cluster, then you change route automatically). This is what Wildfly is
doing for Http sessions too.
We discussed the integration with KeyAffinityService , which helps
with usecase when loadbalancer generates route to the cookie. It ensures
that generated session ID will be local to current node. Hence
loadbalancer can use request node as the route and session will be local
to it. But this doesn't handle rebalance, so IMO preferred option is
still to let Keycloak to append route.
There is also infinispan grouping API I want to look at.
> * @ 18:25 in bluejeans session, The "You are already logged in" screen.
> What happens when the use clicks "proceed"? Does the SAML or OIDC
> request continue as normal? Or are you calculating the URI on the
> application to redirect to, if so, why?
No, this is just link to client base URI, and then new flow can be
started from the application. ATM authenticationSession may be already
removed as user logged already in different browser tab etc, so there is
no flow to continue with.
Currently there is just userSession available and the client application
used for "Back to application" is the last authenticated client in
userSession. I am going to improve it and use "client_id" parameter in
requests, so in case of expired session, already authentication session
etc, you would always know the client from the "client_id" parameter.
Details in the other ML thread "Provide a Link to go Back to The
Application on a Timeout" .
> On Action Tokens:
> * What is the relationship between the RequiredAction SPI and
> ActionTokenHandler SPI? Does every RequiredAction have to have a
> corresponding ActionTokenHandler?
> * Why would a app developer need to implement an ActionTokenHandler?
> Wouldn't it be better for the Required Action SPI to provide the
> appropriate metadata so that the handler could be implemented by us?
> i.e. isOneTimeToken, email-template, etc, etc. I guess what I'm saying
> is that action tokens should be incorporated into the RequiredAction SPI.
> * Related to above. Required actions should be able to specify an
> "admin console template" and "login template". These would be the
> freemarker template to use to create the email that is sent to the
> user. "admin console" would be from an admin generating the action.
> "login" would be when user login initiates the action email.
> * On the Admin Console "Credential Reset" section. Required Action
> emails (now Action tokens) aren't necessarily "Credential Resets".
> Verify email is not a credential reset. etc. This need to be renamed and
> maybe put in another tab?
> * We will need a way to offload action processing to another external
> service. keycloak exists to mark that the action was completed, but all
> the processing for the action happens in an external application. A lot
> of people have existing applications they want to integrate with that
> perform action processing. Just something to think about. We need this
> for other areas of keycloak (i.e. registration).
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
More information about the keycloak-dev