[keycloak-dev] questions on Marek/Hynek presentation

Bill Burke bburke at redhat.com
Fri May 19 10:58:50 EDT 2017

On 5/19/17 10:57 AM, Marek Posolda wrote:
> On 19/05/17 16:19, Bill Burke wrote:
>> * Won't the regular case be that the load balancer generates the
>> affinity cookie or doesn't have a cookie at all?  HA-Proxy is quite
>> popular and they have both options.
> Yes, that's also what Sebastien Schuster from community mentioned in 
> other thread. That's why I've added StickySessionEncoderProvider as 
> SPI, so it's easily possible to disable Keycloak adding route to the 
> cookie, or sticky request based on something different than cookie 
> (eg. path parameter).
> However having Keycloak itself to choose the route has one big 
> performance advantage, that it can route to the node, who is owner of 
> the entry in the infinispan distributed cache. This includes also 
> support for rebalance (owner may change when new node joins/leaves 
> cluster, then you change route automatically). This is what Wildfly is 
> doing for Http sessions too.
> We discussed the integration with KeyAffinityService [1], which helps 
> with usecase when loadbalancer generates route to the cookie. It 
> ensures that generated session ID will be local to current node. Hence 
> loadbalancer can use request node as the route and session will be 
> local to it. But this doesn't handle rebalance, so IMO preferred 
> option is still to let Keycloak to append route.
> There is also infinispan grouping API I want to look at.
> [1] 
> http://infinispan.org/docs/stable/user_guide/user_guide.html#KeyAffinityService
>> * @ 18:25 in bluejeans session, The "You are already logged in" screen.
>> What happens when the use clicks "proceed"?  Does the SAML or OIDC
>> request continue as normal? Or are you calculating the URI on the
>> application to redirect to, if so, why?
> No, this is just link to client base URI, and then new flow can be 
> started from the application. ATM authenticationSession may be already 
> removed as user logged already in different browser tab etc, so there 
> is no flow to continue with.
> Currently there is just userSession available and the client 
> application used for "Back to application" is the last authenticated 
> client in userSession. I am going to improve it and use "client_id" 
> parameter in requests, so in case of expired session, already 
> authentication session etc, you would always know the client from the 
> "client_id" parameter. Details in the other ML thread "Provide a Link 
> to go Back to The Application on a Timeout" .

Why do you need this page?  Why can't you just proceed with the 
OIDC/SAML protocol?


More information about the keycloak-dev mailing list