<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi,<br>
<br>
I am not sure about the details of your environment. You mentioned
that you're not interested in clustering of keycloak server. So am
I understand correctly that you have just 1 node as keycloak
server and 2 nodes with your application deployed? Are you using
"distributable" tag in web.xml of your app on both nodes to ensure
session replication? Are you using loadbalancer? <br>
<br>
Marek<br>
<br>
On 4.2.2015 13:37, Bappaditya Gorai (bgorai) wrote:<br>
</div>
<blockquote
cite="mid:C5AF53298BAB5F4A88B28966E43B40AD0565C3E0@xmb-aln-x12.cisco.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
<font face="Calibri" size="2"><span style="font-size:11pt;">
<div>Thanks for the detailed description. Still, It seems in
case of Clustered Resource environment (distributable
without Sticky sessions) we are relying on session
replication to happen immediately between CODE_TO_TOKEN and
Resource Hit(302), which may or
may not happen. We are now facing the same issue where After
CODE_TO_TOKEN client is redirected to Login URL again. </div>
<div> </div>
<div>Are we addressing this scenario with 1.1.0 Final ? </div>
<div> </div>
<div> </div>
<div>Thanks</div>
<div>Bappaditya Gorai</div>
<div> </div>
<div>-----Original Message-----<br>
From: Marek Posolda [<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com">mailto:mposolda@redhat.com</a>]
<br>
Sent: Monday, February 02, 2015 2:00 PM<br>
To: Bappaditya Gorai (bgorai); Stian Thorgersen<br>
Cc: <a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
Subject: Re: [keycloak-dev] Facing Issue with Resource
Server in Clustered Environment</div>
<div> </div>
<div>Hi,</div>
<div> </div>
<div>it's not stateless by default. Data about keycloak
authenticated principal are saved in HTTP session by default
and can be replicated across cluster nodes (replication
works as long as your application is marked as
"distributable" in web.xml).</div>
<div> </div>
<div>However we support stateless adapter, which won't save
anything in HTTP Session and won't create HTTP session and
JSESSIONID cookie at all (unless you're calling
httpRequest.getSession() in your own application). Instead
all the data are saved in cookie.</div>
<div> </div>
<div>Some more info in docs: </div>
<div><a moz-do-not-send="true"
href="http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/applicationClustering.html#stateless-token-store">http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/applicationClustering.html#stateless-token-store</a></div>
<div> </div>
<div>Marek</div>
<div> </div>
<div>On 30.1.2015 11:26, Bappaditya Gorai (bgorai) wrote:</div>
<div>> Thanks for clarifying. So, I think adapter has
become stateless in 1.1.0.Final. Is my understanding
correct?</div>
<div>></div>
<div>></div>
<div>> -----Original Message-----</div>
<div>> From: Stian Thorgersen [<a moz-do-not-send="true"
href="mailto:stian@redhat.com">mailto:stian@redhat.com</a>]</div>
<div>> Sent: Friday, January 30, 2015 1:18 PM</div>
<div>> To: Bappaditya Gorai (bgorai)</div>
<div>> Cc: <a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a></div>
<div>> Subject: Re: [keycloak-dev] Facing Issue with
Resource Server in </div>
<div>> Clustered Environment</div>
<div>></div>
<div>></div>
<div>></div>
<div>> ----- Original Message -----</div>
<div>>> From: "Bappaditya Gorai (bgorai)" <<a
moz-do-not-send="true" href="mailto:bgorai@cisco.com">bgorai@cisco.com</a>></div>
<div>>> To: "Stian Thorgersen" <<a
moz-do-not-send="true" href="mailto:stian@redhat.com">stian@redhat.com</a>></div>
<div>>> Cc: <a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a></div>
<div>>> Sent: Friday, 30 January, 2015 8:38:49 AM</div>
<div>>> Subject: RE: [keycloak-dev] Facing Issue with
Resource Server in Clustered Environment</div>
<div>>></div>
<div>>> We are not talking about clustering for Keycloak
server. The setup is </div>
<div>>> for Resource Server (Keycloak Adapter) in
clustered environment.</div>
<div>> Same answer</div>
<div>></div>
<div>>> Thanks</div>
<div>>> Bappaditya Gorai</div>
<div>>></div>
<div>>> -----Original Message-----</div>
<div>>> From: Stian Thorgersen [<a
moz-do-not-send="true" href="mailto:stian@redhat.com">mailto:stian@redhat.com</a>]</div>
<div>>> Sent: Friday, January 30, 2015 12:57 PM</div>
<div>>> To: Bappaditya Gorai (bgorai)</div>
<div>>> Cc: <a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a></div>
<div>>> Subject: Re: [keycloak-dev] Facing Issue with
Resource Server in </div>
<div>>> Clustered Environment</div>
<div>>></div>
<div>>> 1.0.4.Final had very limited support for
clustering, please upgrade </div>
<div>>> to 1.1.0.Final and refer to chapter 24 and 25 in
the documentation </div>
<div>>> (<a moz-do-not-send="true"
href="http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/clustering.html">http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/clustering.html</a>).</div>
<div>>></div>
<div>>> ----- Original Message -----</div>
<div>>>> From: "Bappaditya Gorai (bgorai)" <<a
moz-do-not-send="true" href="mailto:bgorai@cisco.com">bgorai@cisco.com</a>></div>
<div>>>> To: <a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a></div>
<div>>>> Sent: Friday, 30 January, 2015 8:22:26 AM</div>
<div>>>> Subject: [keycloak-dev] Facing Issue with
Resource Server in Clustered</div>
<div>>>> Environment</div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>> Hi Team,</div>
<div>>>></div>
<div>>>> Please find the details on setup and
observation below. Please </div>
<div>>>> provide your suggestion on how to overcome
this issue. We are using </div>
<div>>>> Keycloak 1.0.4.Final (Adapter & Server).</div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>> Setup:</div>
<div>>>></div>
<div>>>> 1. We have brought up Jboss cluster ( Using
mod_cluster, httpd ) </div>
<div>>>> with</div>
<div>>>> 2 nodes in domain mode and enabled session
replication between these nodes.</div>
<div>>>></div>
<div>>>> 2. Our Recourse server is deployed in this
clustered environment </div>
<div>>>> with distributable and Sticky session Off.</div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>> Behavior observed :</div>
<div>>>></div>
<div>>>> During the Authorization/Authentication
process ,when Initial </div>
<div>>>> call(Resource</div>
<div>>>> Access) lands on master and next redirection
(post Code To token) </div>
<div>>>> falls on slave Adapter is treating it as a
new session and </div>
<div>>>> redirecting to login URL again. So we ended
up with circular redirection error.</div>
<div>>>> After further investigation seems like
session replication delay is </div>
<div>>>> causing adapter to behave this way. As the
redirection call happens </div>
<div>>>> very quickly and this results in circular
redirection error.</div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>> NOTE: Sticky Session in mod_cluster
environment solves the issue but </div>
<div>>>> it does not provide true load balancing.
Therefore we are not </div>
<div>>>> considering Stick session option.</div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>></div>
<div>>>> Thanks</div>
<div>>>></div>
<div>>>> Bappaditya Gorai</div>
<div>>>></div>
<div>>>>
_______________________________________________</div>
<div>>>> keycloak-dev mailing list</div>
<div>>>> <a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a></div>
<div>>>> <a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></div>
<div>> _______________________________________________</div>
<div>> keycloak-dev mailing list</div>
<div>> <a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a></div>
<div>> <a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></div>
<div> </div>
<div> </div>
</span></font>
</blockquote>
<br>
</body>
</html>