<div dir="ltr">Unless we can use a header or cookie on the server-side to do sticky sessions there as well. We could extend adapters to include it.</div><div class="gmail_extra"><br><div class="gmail_quote">On 26 February 2016 at 14:56, Vlastimil Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Sure thing, sticky session can cover requests from browsers only, KC
state replication is always necessary to cover requests from
server-side applications.<br>
<br>
Vl.<div><div class="h5"><br>
<br>
<div>On 26.2.2016 13:27, Stian Thorgersen
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 26 February 2016 at 10:24,
Vlastimil Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank"></a><a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi,<span><br>
<br>
<div>On 26.2.2016 09:33, Stian Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">This should work just fine without
sticky sessions.</div>
</blockquote>
<br>
</span> Sure, but there may be latencies or so between
nodes which may bring problems, and it is always hard to
troubleshoot this kind of problems. Sticky session
generally lowers probability of this kind of operational
problems, this is why I like them and use them ;-) But
correctly configured replication is necessary even in
case of sticky sessions to have failover.</div>
</blockquote>
<div><br>
</div>
<div>That's why we use sync, not async.</div>
<div><br>
</div>
<div>But, I agree sticky sessions would be nice.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span><br>
<br>
<blockquote type="cite">
<div dir="ltr"> We also don't support sticky
sessions at the moment as there's no cookie to
stick on. We're going to look into supporting
sticky sessions soon.</div>
</blockquote>
<br>
</span> Some loadbalancers are able to make sticky
session on his owns, even if application itself do not
provide any cookie. We use this on RHD website, we have
F5 loadbalancer which handles sticky sessions for us (I
think it creates his own cookie), and is able correctly
failover when keycloak node dies. <br>
</div>
</blockquote>
<div><br>
</div>
<div>What makes it non-trivial is that there are two
different things using the same session and user. The
users browser (for login redirects and also html5 apps)
and also server-side applications. These will have
different IP addresses. So simply setting up sticky
sessions based on the source won't work.</div>
<div> <br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> <br>
So don't tell your users that Keycloak doesn't support
sticky sessions at all, it works with sticky sessions
correctly if provided by loadbalancer by some way not
relying on cookie provided by Keycloak itself. ;-) </div>
</blockquote>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span><font color="#888888"><br>
<br>
Vlastimil</font></span>
<div>
<div><br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 26 February 2016 at
09:29, Vlastimil Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank"></a><a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> What
about configuring <span lang="EN-US">Loadbalancer
to use sticky sessions?<br>
<br>
Vlastimil<br>
</span>
<div>
<div><br>
<div>On 25.2.2016 16:10, Peter
Krivansky wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div>
<p class="MsoNormal">Hello,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span lang="EN-US">I have a Keycloak
cluster with two servers, in
front of each Keaycloak is
Apache running.</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal" style="text-indent:35.4pt"><span lang="EN-US">LB</span></p>
<p class="MsoNormal" style="text-indent:35.4pt"><span lang="EN-US">/\</span></p>
<p class="MsoNormal"><span lang="EN-US"> Host A Host
B</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">Now, Host-A and
Host-B are in different
subnets, due to this design we
are running jGroups via TCP. </span></p>
<p class="MsoNormal"><span lang="EN-US">Now everything is
working fine, except for the
Keycloak Admin console, once a
user tries to log in, they get
for a milisecond in to the
Admin console, but then they
get redirected to the login
page immediately.</span></p>
<p class="MsoNormal"><span lang="EN-US">When I disable
Host-A or Host-B on the
Loadbalancer, (new sessions
will land only on Hst-A or
Host-B) the Login to Keycloak
Admin Console will work
normally.</span></p>
<p class="MsoNormal"><span lang="EN-US">During the
immediate redirection there is
only this one WARNING in the
Server.log:</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">15:41:42,886
WARN
[org.jboss.resteasy.core.ExceptionHandler]
(default task-10) Failed
executing GET
/admin/serverinfo:
org.jboss.resteasy.spi.UnauthorizedException:
Bearer</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:156)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
org.keycloak.services.resources.admin.AdminRoot.getServerInfo(AdminRoot.java:209)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
java.lang.reflect.Method.invoke(Method.java:498)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:81)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:60)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:102)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)</span></p>
<p class="MsoNormal"><span lang="EN-US"> at
java.lang.Thread.run(Thread.java:745)</span></p>
<p class="MsoNormal"><span lang="EN-US"></span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">I attached my
domain.xml</span></p>
<p class="MsoNormal"><span lang="EN-US">Have I missed
something, or what did I
wrong? </span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">With Kind regards
Peter</span></p>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<span>
<pre>_______________________________________________
keycloak-dev mailing list
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</span></blockquote>
<span><font color="#888888"> <br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</font></span></div>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</div></div></div>
</blockquote></div><br></div>