<div dir="ltr">We have discovered the issue. Both keycloak instances had 1:30&#39; difference and this caused the token validation error. <div><br></div><div>We&#39;ve synchronized both servers time and everything is working perfect now!</div><div><br></div><div>Thanks you all for your help!</div><div>Nicolas.-</div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-02-17 19:06 GMT-03:00 Bill Burke <span dir="ltr">&lt;<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>&gt;</span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    What is the error event when the token is not valid?  I&#39;m guess that
    this is happening on code to token.  If so, that may mean that the
    clustered cache is still not set up correctly.<div><div class="h5"><br>
    <br>
    <div>On 2/17/2016 4:53 PM, Aikeaguinea
      wrote:<br>
    </div>
    </div></div><blockquote type="cite"><div><div class="h5">
      
      <div>I haven&#39;t found any way around this other than turning on
        session affinity at the load balancer level.</div>
      <div> </div>
      <div> </div>
      <div>On Wed, Feb 17, 2016, at 03:37 PM, Nicolás Pozo wrote:<br>
      </div>
      <blockquote type="cite">
        <div dir="ltr">
          <div>Hi,<br>
          </div>
          <div><span style="color:rgb(80,0,80)">JDBC_PING
              did the Job and infinispan seems to be working now. But I
              have another issue. </span><br>
          </div>
          <div> </div>
          <div><span style="color:rgb(80,0,80)">I have
              2 keycloak instances running behind a load balancer. When
              I get a token from server 1 and then load balancer sends
              requests to server 2 using this token, I get an error 401
              because token is not valid. Is there any other missing
              configuration to sinchronize tokens? </span><br>
          </div>
          <div> </div>
          <div><span style="color:rgb(80,0,80)">Thanks,</span><br>
          </div>
          <div>
            <div><span style="color:rgb(80,0,80)">Nicolás.-<br>
              </span></div>
            <div>
              <div> </div>
              <div>
                <div>2016-02-17 13:01 GMT-03:00 Aikeaguinea <span dir="ltr">&lt;<a href="mailto:aikeaguinea@xsmail.com" target="_blank">aikeaguinea@xsmail.com</a>&gt;</span>:<br>
                </div>
                <blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                  <div>Apologies to those reading my message in
                    plaintext; apparently all the<br>
                  </div>
                  <div>
                    spaces come out as question marks. I&#39;ve updated the
                    message to use<br>
                  </div>
                  <div>
                    plaintext below.<br>
                  </div>
                  <div> </div>
                  <div>
--------------------------------------------------------------------------------------------------------------------------------------------<br>
                  </div>
                  <div>
                    <div>
                      <div> </div>
                      <div>
                        I just got JGroups/Infinispan with JDBC_PING
                        working from inside a<br>
                      </div>
                      <div>
                        Docker cluster in ECS on EC2. I use JDBC_PING
                        rather than S3_PING, since<br>
                      </div>
                      <div>
                        I need a database anyway and didn&#39;t want to have
                        to set up an S3 bucket<br>
                      </div>
                      <div>
                        just for this one purpose. Nicolás, if you&#39;re on
                        AWS the default UDP<br>
                      </div>
                      <div>
                        transport for JGroups doesn&#39;t work because
                        multicast isn&#39;t supported<br>
                      </div>
                      <div>
                        inside EC2, which may be your problem.<br>
                      </div>
                      <div> </div>
                      <div>
                        Here are the configurations you&#39;d need:<br>
                      </div>
                      <div> </div>
                      <div>
                        1. The JGroups module has to reference to the db
                        module. So in<br>
                      </div>
                      <div>
                        jgroups-module.xml I have:<br>
                      </div>
                      <div> </div>
                      <div>
                          &lt;dependencies&gt;<br>
                      </div>
                      <div>
                            &lt;module name=&quot;javax.api&quot;/&gt;<br>
                      </div>
                      <div>
                            &lt;module name=&quot;org.postgresql.jdbc&quot;/&gt;<br>
                      </div>
                      <div>
                          &lt;/dependencies&gt;<br>
                      </div>
                      <div> </div>
                      <div>
                        2. The standalone-ha.xml has a JGroups subsystem
                        (with TCP and<br>
                      </div>
                      <div>
                        JDBC_PING) that looks like the configuration
                        below; I read certain<br>
                      </div>
                      <div>
                        variables from the environment, but may use the
                        Wildfly vault tool for<br>
                      </div>
                      <div>
                        some of them. The external_addr property
                        configurations are only needed<br>
                      </div>
                      <div>
                        if you&#39;re inside a Docker container, since
                        Wildfly has to read the<br>
                      </div>
                      <div>
                        address of the EC2 instance hosting the
                        container to register itself<br>
                      </div>
                      <div>
                        with JGroups. For the initialize_sql you can
                        generally use the default,<br>
                      </div>
                      <div>
                        but for Postgres I needed a custom DDL because I
                        needed the BYTEA data<br>
                      </div>
                      <div>
                        type which isn&#39;t in the default DDL.<br>
                      </div>
                      <div> </div>
                      <div>
                        &lt;subsystem
                        xmlns=&quot;urn:jboss:domain:jgroups:4.0&quot;&gt;<br>
                      </div>
                      <div>
                              &lt;channels default=&quot;ee&quot;&gt;<br>
                      </div>
                      <div>
                                &lt;channel name=&quot;ee&quot; stack=&quot;tcp&quot;/&gt;<br>
                      </div>
                      <div>
                              &lt;/channels&gt;<br>
                      </div>
                      <div> </div>
                      <div>
                              &lt;stacks default=&quot;tcp&quot;&gt;<br>
                      </div>
                      <div>
                                &lt;stack name=&quot;tcp&quot;&gt;<br>
                      </div>
                      <div>
                                  &lt;transport type=&quot;TCP&quot;
                        socket-binding=&quot;jgroups-tcp&quot;&gt;<br>
                      </div>
                      <div>
                                    &lt;property<br>
                      </div>
                      <div>
                                   
                        name=&quot;external_addr&quot;&gt;${env.EXTERNAL_HOST_IP}&lt;/property&gt;<br>
                      </div>
                      <div>
                                  &lt;/transport&gt;<br>
                      </div>
                      <div> </div>
                      <div>
                                  &lt;protocol type=&quot;JDBC_PING&quot;&gt;<br>
                      </div>
                      <div>
                                    &lt;property<br>
                      </div>
                      <div>
                                   
                        name=&quot;connection_driver&quot;&gt;org.postgresql.Driver&lt;/property&gt;<br>
                      </div>
                      <div>
                                    &lt;property<br>
                      </div>
                      <div>
                                   
name=&quot;connection_url&quot;&gt;jdbc:postgresql://${env.POSTGRES_TCP_ADDR}:${env.POSTGRES_TCP_PORT}/${env.POSTGRES_DATABASE}&lt;/property&gt;<br>
                      </div>
                      <div>
                                    &lt;property<br>
                      </div>
                      <div>
                                   
                        name=&quot;connection_username&quot;&gt;${env.POSTGRES_USER}&lt;/property&gt;<br>
                      </div>
                      <div>
                                    &lt;property<br>
                      </div>
                      <div>
                                   
                        name=&quot;connection_password&quot;&gt;${env.POSTGRES_PASSWORD}&lt;/property&gt;<br>
                      </div>
                      <div>
                                    &lt;property
                        name=&quot;initialize_sql&quot;&gt;<br>
                      </div>
                      <div>
                                      CREATE TABLE IF NOT EXISTS
                        jgroupsping (<br>
                      </div>
                      <div>
                                        own_addr VARCHAR(200) NOT NULL,<br>
                      </div>
                      <div>
                                        cluster_name VARCHAR(200) NOT
                        NULL,<br>
                      </div>
                      <div>
                                        ping_data BYTEA DEFAULT NULL,<br>
                      </div>
                      <div>
                                        PRIMARY KEY (own_addr,
                        cluster_name)<br>
                      </div>
                      <div>
                                      )<br>
                      </div>
                      <div>
                                    &lt;/property&gt;<br>
                      </div>
                      <div>
                                  &lt;/protocol&gt;<br>
                      </div>
                      <div> </div>
                      <div>
                                  &lt;protocol type=&quot;MERGE3&quot;/&gt;<br>
                      </div>
                      <div>
                                  &lt;protocol type=&quot;FD_SOCK&quot;
                        socket-binding=&quot;jgroups-tcp-fd&quot;&gt;<br>
                      </div>
                      <div>
                                    &lt;property<br>
                      </div>
                      <div>
                                   
                        name=&quot;external_addr&quot;&gt;${env.EXTERNAL_HOST_IP}&lt;/property&gt;<br>
                      </div>
                      <div>
                                  &lt;/protocol&gt;<br>
                      </div>
                      <div> </div>
                      <div>
                                  &lt;protocol type=&quot;FD&quot;/&gt;<br>
                      </div>
                      <div>
                                  &lt;protocol
                        type=&quot;VERIFY_SUSPECT&quot;/&gt;<br>
                      </div>
                      <div>
                                  &lt;protocol
                        type=&quot;pbcast.NAKACK2&quot;/&gt;<br>
                      </div>
                      <div>
                                  &lt;protocol type=&quot;UNICAST3&quot;/&gt;<br>
                      </div>
                      <div>
                                  &lt;protocol type=&quot;pbcast.STABLE&quot;/&gt;<br>
                      </div>
                      <div>
                                  &lt;protocol type=&quot;pbcast.GMS&quot;/&gt;<br>
                      </div>
                      <div>
                                  &lt;protocol type=&quot;MFC&quot;/&gt;<br>
                      </div>
                      <div>
                                  &lt;protocol type=&quot;FRAG2&quot;/&gt;<br>
                      </div>
                      <div>
                                &lt;/stack&gt;<br>
                      </div>
                      <div>
                              &lt;/stacks&gt;<br>
                      </div>
                      <div>
                            &lt;/subsystem&gt;<br>
                      </div>
                      <div> </div>
                      <div>
                        3. If you&#39;re in a Docker container, you have to
                        expose the JGroups ports<br>
                      </div>
                      <div>
                        so they are visible from outside the container,
                        so in standalone-ha.xml<br>
                      </div>
                      <div>
                        in the socket bindings I have changed to the
                        public interface:<br>
                      </div>
                      <div> </div>
                      <div>
                              &lt;socket-binding name=&quot;jgroups-tcp&quot;
                        interface=&quot;public&quot;<br>
                      </div>
                      <div>
                              port=&quot;7600&quot;/&gt;<br>
                      </div>
                      <div>
                              &lt;socket-binding name=&quot;jgroups-tcp-fd&quot;
                        interface=&quot;public&quot;<br>
                      </div>
                      <div>
                              port=&quot;57600&quot;/&gt;<br>
                      </div>
                      <div> </div>
                      <div>
                        4. For Docker, the startup script needs to pass
                        the EXTERNAL_HOST_IP<br>
                      </div>
                      <div>
                        variable. I have a wrapper start script that
                        first queries the AWS<br>
                      </div>
                      <div>
                        instance metadata service for the host&#39;s private
                        IP address:<br>
                      </div>
                      <div> </div>
                      <div>
                         export EXTERNAL_HOST_IP=$(curl -s<br>
                      </div>
                      <div> <a href="http://169.254.169.254/latest/meta-data/local-ipv4" target="_blank">169.254.169.254/latest/meta-data/local-ipv4</a>)<br>
                      </div>
                      <div>
                         exec $WILDFLY_HOME/bin/standalone.sh -c
                        standalone-keycloak-ha.xml<br>
                      </div>
                      <div>
                         -<a href="http://Djboss.node.name" target="_blank">Djboss.node.name</a>=$HOSTNAME
                        -Djgroups.bind_addr=global -b $HOSTNAME<br>
                      </div>
                      <div> </div>
                      <div>
                        &gt;
--------------------------------------------------------------------------------------------------------------------------------------------<br>
                      </div>
                      <div>
                        &gt; From: &lt;<a href="mailto:keycloak-user-bounces@lists.jboss.org" target="_blank">keycloak-user-bounces@lists.jboss.org</a>&gt;<br>
                      </div>
                      <div>
                        &gt; Date: Wednesday, February 17, 2016 at 9:03
                        AM<br>
                      </div>
                      <div>
                        &gt; To: &quot;<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>&quot;
                        &lt;<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>&gt;<br>
                      </div>
                      <div>
                        &gt; Subject: [keycloak-user] Infinispan not
                        working on HA environment with        dockers.<br>
                      </div>
                      <div>
                        &gt;<br>
                      </div>
                      <div>
                        &gt; Hello all,<br>
                      </div>
                      <div>
                        &gt; I&#39;m trying to set a Keycloak HA environment
                        up with dockers. I tried with
                        jboss/keycloak-ha-postgres:1.8.0.Final image.<br>
                      </div>
                      <div>
                        &gt;<br>
                      </div>
                      <div>
                        &gt; I can&#39;t make infinispan work when I run 2
                        instances of my docker images. I get the
                        following log in every node:<br>
                      </div>
                      <div>
                        &gt;<br>
                      </div>
                      <div>
                        &gt; Received new cluster view for channel ejb:
                        [f9032dc82244|0] (1) [f9032dc82244]<br>
                      </div>
                      <div>
                        &gt; Received new cluster view for channel
                        hibernate: [f9032dc82244|0] (1) [f9032dc82244]<br>
                      </div>
                      <div>
                        &gt; Received new cluster view for channel
                        keycloak: [f9032dc82244|0] (1) [f9032dc82244]<br>
                      </div>
                      <div>
                        &gt; Received new cluster view for channel web:
                        [f9032dc82244|0] (1) [f9032dc82244]<br>
                      </div>
                      <div>
                        &gt; Channel hibernate local address is
                        f9032dc82244, physical addresses are [<a href="http://127.0.0.1:55200" target="_blank">127.0.0.1:55200</a>]<br>
                      </div>
                      <div>
                        &gt; Channel keycloak local address is
                        f9032dc82244, physical addresses are [<a href="http://127.0.0.1:55200" target="_blank">127.0.0.1:55200</a>]<br>
                      </div>
                      <div>
                        &gt; Channel ejb local address is f9032dc82244,
                        physical addresses are [<a href="http://127.0.0.1:55200" target="_blank">127.0.0.1:55200</a>]<br>
                      </div>
                      <div>
                        &gt; Channel web local address is f9032dc82244,
                        physical addresses are [<a href="http://127.0.0.1:55200" target="_blank">127.0.0.1:55200</a>]<br>
                      </div>
                      <div>
                        &gt; Received new cluster view for channel
                        server: [f9032dc82244|0] (1) [f9032dc82244]<br>
                      </div>
                      <div>
                        &gt; Channel server local address is
                        f9032dc82244, physical addresses are [<a href="http://127.0.0.1:55200" target="_blank">127.0.0.1:55200</a>]<br>
                      </div>
                      <div>
                        &gt;<br>
                      </div>
                      <div>
                        &gt; This is causing my user sessions are not
                        shared between instances and it&#39;s not working
                        properly.<br>
                      </div>
                      <div>
                        &gt;<br>
                      </div>
                      <div>
                        &gt; When I run 2 instances of keycloak without
                        dockers, they work properly.<br>
                      </div>
                      <div>
                        &gt;<br>
                      </div>
                      <div>
                        &gt; Am I missing something? Is there any extra
                        configuration that I need to change?<br>
                      </div>
                      <div>
                        &gt;<br>
                      </div>
                      <div>
                        &gt; Thanks,<br>
                      </div>
                      <div>
                        &gt; Nicolas.-<br>
                      </div>
                      <div>
                        &gt; --<br>
                      </div>
                      <div> <a href="http://www.fastmail.com" target="_blank">http://www.fastmail.com</a>
                        - A fast, anti-spam email service.<br>
                      </div>
                      <div> </div>
                    </div>
                  </div>
                  <div>--<br>
                  </div>
                  <div>
                      Aikeaguinea<br>
                  </div>
                  <div> <a href="mailto:aikeaguinea@xsmail.com" target="_blank">aikeaguinea@xsmail.com</a><br>
                  </div>
                  <div> <span><span style="color:rgb(136,136,136)"><br>
                        <br>
                        --<br>
                        <a href="http://www.fastmail.com" target="_blank">http://www.fastmail.com</a>
                        - Access your email from home and the web<br>
                      </span></span></div>
                </blockquote>
              </div>
            </div>
          </div>
        </div>
      </blockquote>
      <div> </div>
      <div>
        <div>--<br>
        </div>
        <div>  Aikeaguinea<br>
        </div>
        <div>  <a href="mailto:aikeaguinea@xsmail.com" target="_blank">aikeaguinea@xsmail.com</a><br>
        </div>
        <div> </div>
      </div>
      <div> </div>
      <pre>-- 
<a href="http://www.fastmail.com" target="_blank">http://www.fastmail.com</a> - Or how I learned to stop worrying and
                          love email again
</pre>
      <br>
      <fieldset></fieldset>
      <br>
      </div></div><pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre><span class="HOEnZb"><font color="#888888">
    </font></span></blockquote><span class="HOEnZb"><font color="#888888">
    <br>
    <pre cols="72">-- 
Bill Burke
JBoss, a division of Red Hat
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a></pre>
  </font></span></div>

<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>