<div dir="ltr">Your issue doesn't have anything to do with the Keycloak server side user sessions, they don't require sticky sessions. <div><br></div><div>Your issue is down to the http session on the adapter side not being replicated by default. For the adapter you've got 3 choices: sticky session, replicated session or stateless. Which is best depends on your application.<div><br><div><br><div class="gmail_extra"><div class="gmail_quote">On 25 January 2016 at 14:05, Christian Beikov <span dir="ltr"><<a href="mailto:christian.beikov@gmail.com" target="_blank">christian.beikov@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
I don't have a problem with sticky sessions and I will definitively
configure them, but I am curious. What is the reason for the
problems with round robin in this test scenario? Are the infinispan
caches not replicated fast enough or is there an implementation
limitation in the adapters?</div></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">
<br>
Regards,<br>
Christian<div><div class="h5"><br>
<br>
<div>Am 25.01.2016 um 08:58 schrieb Stian
Thorgersen:<br>
</div>
<blockquote type="cite">
<div dir="ltr">By default the adapters will require sticky
sessions, please refer to <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html</a>
for more information</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 22 January 2016 at 12:48, Christian
Beikov <span dir="ltr"><<a href="mailto:christian.beikov@gmail.com" target="_blank">christian.beikov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
I am running some tests with my application cluster being
secured by a<br>
single keycloak server instance and I encountered problems
with the adapter.<br>
<br>
My application cluster contains 2 nodes and is load balanced
by nginx.<br>
For testing purposes, I enabled round robin load balancing
which is<br>
probably the "cause" for my issues.<br>
<br>
When I access a secured page, I get redirected to keycloak
and<br>
everything is fine. When I then login, and keycloak
redirects me back to<br>
the application, I get to a different application cluster
node because<br>
of round robin. On that node, apparently the initial
information of the<br>
client session is not available and I get redirected to
keycloak login<br>
page again. Then keycloak redirects me back to the
application, this<br>
time to the original node, and says that access is
forbidden.<br>
<br>
I suppose the web session caches are not in sync but I just
used the<br>
default cache containers as they are defined in
standalone-ha.xml of my<br>
Wildlfy 10 CR4. Clustering with jgroups works, as I use
other<br>
distributed caches too which work just fine.<br>
<br>
We are using Keycloak 1.8.0.CR2 on a Wildfly 10 CR4<br>
<br>
Regards,<br>
Christian<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div></div></div></div></div>