[keycloak-user] Standalone HA tokens not immediately shared among nodes
D V
dv at glyphy.com
Tue Sep 18 17:01:41 EDT 2018
The issue was resolved in a somewhat unexpected way. I had a custom
org.keycloak.storage.UserStorageProviderFactory SPI registered that
returned providers
implementing org.keycloak.storage.user.UserLookupProvider,
but org.keycloak.storage.user.UserLookupProvider#getUserById method wasn't
fully filled out. I just had it return null. It wasn't obvious to me that
it was required (or under what circumstances). Once I implemented it, the
experiments in my original message passed. I did have to set owners to 2
for the "sessions" and "clientSessions" distributed cache infinispan
configs.
One thing I noticed is that node2 (the one that doesn't get hit on the
initial password auth) has to do a lookup via getUserById the first time it
handles a grant_type=refresh_token auth. Is the data it needs not shared
across the cluster? It seems to be cached only locally on the node. Just as
a test I tried to set all configured non-local caches to be replicated and
it didn't help. Any thoughts about this?
Thanks,
DV
>
More information about the keycloak-user
mailing list