<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 26 February 2016 at 10:24, Vlastimil Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Hi,<span class=""><br>
<br>
<div>On 26.2.2016 09:33, Stian Thorgersen
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">This should work just fine without sticky sessions.</div>
</blockquote>
<br></span>
Sure, but there may be latencies or so between nodes which may bring
problems, and it is always hard to troubleshoot this kind of
problems. Sticky session generally lowers probability of this kind
of operational problems, this is why I like them and use them ;-)
But correctly configured replication is necessary even in case of
sticky sessions to have failover.</div></blockquote><div><br></div><div>That's why we use sync, not async.</div><div><br></div><div>But, I agree sticky sessions would be nice.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF"><span class=""><br>
<br>
<blockquote type="cite">
<div dir="ltr"> We also don't support sticky sessions at the
moment as there's no cookie to stick on. We're going to look
into supporting sticky sessions soon.</div>
</blockquote>
<br></span>
Some loadbalancers are able to make sticky session on his owns, even
if application itself do not provide any cookie. We use this on RHD
website, we have F5 loadbalancer which handles sticky sessions for
us (I think it creates his own cookie), and is able correctly
failover when keycloak node dies. <br></div></blockquote><div><br></div><div>What makes it non-trivial is that there are two different things using the same session and user. The users browser (for login redirects and also html5 apps) and also server-side applications. These will have different IP addresses. So simply setting up sticky sessions based on the source won't work.</div><div> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF">
<br>
So don't tell your users that Keycloak doesn't support sticky
sessions at all, it works with sticky sessions correctly if provided
by loadbalancer by some way not relying on cookie provided by
Keycloak itself. ;-) </div></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF"><span class="HOEnZb"><font color="#888888"><br>
<br>
Vlastimil</font></span><div><div class="h5"><br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 26 February 2016 at 09:29, Vlastimil
Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> What about
configuring <span lang="EN-US">Loadbalancer to use sticky
sessions?<br>
<br>
Vlastimil<br>
</span>
<div>
<div><br>
<div>On 25.2.2016 16:10, Peter Krivansky wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div>
<p class="MsoNormal">Hello,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span lang="EN-US">I have a
Keycloak cluster with two servers, in front of
each Keaycloak is Apache running.</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal" style="text-indent:35.4pt"><span lang="EN-US">LB</span></p>
<p class="MsoNormal" style="text-indent:35.4pt"><span lang="EN-US">/\</span></p>
<p class="MsoNormal"><span lang="EN-US"> Host A
Host B</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">Now,
Host-A and Host-B are in different subnets,
due to this design we are running jGroups via
TCP. </span></p>
<p class="MsoNormal"><span lang="EN-US">Now
everything is working fine, except for the
Keycloak Admin console, once a user tries to
log in, they get for a milisecond in to the
Admin console, but then they get redirected to
the login page immediately.</span></p>
<p class="MsoNormal"><span lang="EN-US">When I
disable Host-A or Host-B on the Loadbalancer,
(new sessions will land only on Hst-A or
Host-B) the Login to Keycloak Admin Console
will work normally.</span></p>
<p class="MsoNormal"><span lang="EN-US">During the
immediate redirection there is only this one
WARNING in the Server.log:</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">15:41:42,886
WARN
[org.jboss.resteasy.core.ExceptionHandler]
(default task-10) Failed executing GET
/admin/serverinfo:
org.jboss.resteasy.spi.UnauthorizedException:
Bearer</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:156)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.keycloak.services.resources.admin.AdminRoot.getServerInfo(AdminRoot.java:209)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
java.lang.reflect.Method.invoke(Method.java:498)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:81)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:60)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:102)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)</span></p>
<p class="MsoNormal"><span lang="EN-US">
at java.lang.Thread.run(Thread.java:745)</span></p>
<p class="MsoNormal"><span lang="EN-US"></span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">I attached
my domain.xml</span></p>
<p class="MsoNormal"><span lang="EN-US">Have I
missed something, or what did I wrong? </span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">With Kind
regards Peter</span></p>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<span>
<pre>_______________________________________________
keycloak-dev mailing list
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</span></blockquote>
<span><font color="#888888"> <br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</font></span></div>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</div></div></div>
</blockquote></div><br></div></div>