[keycloak-user] Cross-Site Replication

[Riedel, Sven]

Hi,
in my current project we would need to do a cross-site replication of
keycloak data, i.e. we'd have one "master" cluster with authoritative user
data, and multiple "slave" clusters in different computing centers. Realm
and User Data is only written to the master cluster and the slave clusters
are read only. Session data could be handled independently for each
cluster.

I have a few questions to this use case:

- Can I use keycloaks clustering via infinispan for this? I have no
experience with infinispan, but I could imagine that the cross site
latency would destroy performance.

- The other naive approach would be to do a database replication between
the sites. The problem I see here is that the keycloak invalidation cache
would not respond to data that is changed in the backing database via
replication, and I'd either have to disable the caches (which I'd prefer
not to do) or periodically flush the caches via some scheduled job in the
slave clusters. Is this correct?

- Does some other mechanism for the cross-site replication use case
already exist that I'm not aware of?

I'm kind of hoping that we won't have to write components that feed data
changes via api to the slave clusters so that we can use the invalidation
caches without problems.

Any thoughts are welcome.

Thanks,
Sven


-- 
Sven Riedel
Senior Systemsarchitect

glomex GmbH
Ein Unternehmen der ProSiebenSat.1 Media SE

Medienallee 4
D-85774 Unterföhring
Tel. +49 [89] 9507-8167
sven.riedel at glomex.com

Geschäftsführer: Michael Jaschke, Arnd Mückenberger
HRB 224542 AG München
USt.-ID.-Nr. DE 218559421
St.-Nr. 143/141/71293