[keycloak-user] refresh_token flow doesn't work with a standalone_ha setup
Marek Posolda
mposolda at redhat.com
Tue Mar 13 16:23:23 EDT 2018
On 13/03/18 20:10, Soumya Mishra wrote:
> Anyone knows anything about this?
>
> On Mon, Mar 12, 2018 at 1:06 PM, Soumya Mishra <soumya.mishra at aktana.com>
> wrote:
>
>> Hello All,
>>
>> I am facing a problem with running keycloak in standalone clustered mode
>> (i.e, standalone-ha) mode. I have a set of 3 clusters and using a load
>> balancer on top of it.
>>
>> I am able to login properly each time. But the refresh_token and
>> offline_access token flow is not working properly because the load balancer
>> is hitting different instances at different times. It only works when the
>> load balancer hits the instance from which the token was generated.
>>
>> I compared various tokens generated by all the different instances and I
>> see that iss, iat and jti values are different for each of the tokens. Is
>> it a problem?
No, it shouldn't be. That is expected.
Is shared database correctly set? And are sessions replicated? I suggest
you try to open admin console and open tab "sessions" for any realm,
user or client. You can open it in all 3 nodes (alternatively open it
through loadbalancer until you make sure that loadbalancer redirects it
to different 3 nodes if you can't open Keycloak backend nodes directly)
and compare if "sessions" are same on every node. If not, then your
clustering setup is broken.
We have some info in our clustering docs, I suggest to look there.
Marek
>>
>> Please let me know if anybody has any idea how this issue should be fixed
>> or where I am doing wrong.
>>
>> Regards,
>> Soumya
>>
>>
>>
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list