[keycloak-user] Does Keycloak need sticky session at the load balancer?

[Sebastian Laskawiec]

On Wed, Aug 22, 2018 at 10:24 PM Rafael Weingärtner <
rafaelweingartner at gmail.com> wrote:

> Hello Keycloakers,
>
> I have some doubts regarding Keycloak and load balancers. I set up two
> keycloak replicas to provide HA. To start them I am using “./standalone.sh
> --server-config=standalone-ha.xml”.  I am assuming that they will use
> multicast to replicate information between nodes, right?
>

That is correct. It uses PING protocol, which in turn uses IP Multicasting
for discovery.

Note, that IP Multicasting is disabled in many data centers (I have never
found out why they do it, but I've seen it many, many times). So make sure
your cluster forms correctly (just grep logs and look for "view").


> Then, I set up a load balancer layer using Apache HTTPD and AJP connector
> via 8009 port. To make everything work I needed to use sticky session;
> otherwise, the login would never happen. I am fine with the sticky session,
> however, if I stop one of the replicas where the user is logged in, when
> the user access Keycloak again, he/she is asked to present the credentials
> as if he/she was not logged in the other Keycloak replica. Is that the
> expected behavior?
>

My intuition tells me that your cluster didn't form correctly (as I
mentioned before, grep the logs and look for "view" generated by JGroups).
Therefore, if you enable sticky session, all your requests get to the same
Keycloak instance, which has everything in the local cache. That's why it
works fine.


>
> Is there some troubleshooting or test that I can perform to check if
> replication is being executed?
>

Let's start with investigating the logs. Later on we can check JMX.


>
> --
> Rafael Weingärtner
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user