<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
On 07 Apr 2016, at 13:03, Stian Thorgersen <<a href="mailto:sthorger@redhat.com" class="">sthorger@redhat.com</a>> wrote:<br class="">
<div>
<blockquote type="cite" class=""><br class="Apple-interchange-newline">
<div class="">
<div dir="ltr" class=""><br class="">
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On 7 April 2016 at 12:56, Christian Schwarz <span dir="ltr" class="">
<<a href="mailto:christian@datek.no" target="_blank" class="">christian@datek.no</a>></span> wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div style="word-wrap:break-word" class="">Ok, thank you Stian for the fast reply!
<div class=""><br class="">
</div>
<div class="">I will look into using jgroups S3_PING module that supports AWS, and that I think will work with docker-cloud as well since it accepts system properties where I can set the current IP address.</div>
<div class=""><br class="">
</div>
<div class="">Just plain old clustering with a database as shared data store and sticky sessions to a keycloak instance would be a nice default clustering option in the future (but I’m sure you have enough on your plate already :)</div>
</div>
</blockquote>
<div class=""><br class="">
</div>
<div class="">We're planning sticky session support in 2.x. The problem is that you need to make sure browser + all adapter requests go to the same node. So it's not quite as simple as just setting a cookie. See <a href="https://issues.jboss.org/browse/KEYCLOAK-2352" class="">https://issues.jboss.org/browse/KEYCLOAK-2352</a></div>
</div>
</div>
</div>
</div>
</blockquote>
<div><br class="">
</div>
<div>When I implemented a custom OpenID Connect Authorization Server a couple of years ago (when the spec was fresh), we accepted that a single database request per HTTP request was OK performance wise. Then you can re-read the most volatile data on each HTTP
request (e.g. logout status) and then use a local cache for the rest. If you got load-balanced to another node (e.g. during deployment or failover) then the other node would have to fetch more data from the database (we did not use JSESSION, we used a custom
session mechanism with a custom cookie that was an ID to a login session stored in the database. Then you had transparent failover and instant logout from all authorization server nodes. </div>
<br class="">
<blockquote type="cite" class="">
<div class="">
<div dir="ltr" class="">
<div class="gmail_extra">
<div class="gmail_quote">
<div class=""> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div style="word-wrap:break-word" class="">
<div class=""><br class="">
</div>
<div class="">Keep up the good work!</div>
<span class=""><font color="#888888" class="">
<div class=""><br class="">
</div>
<div class="">Christian</div>
</font></span>
<div class="">
<div class="h5">
<div class=""><br class="">
</div>
<div class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On 07 Apr 2016, at 12:40, Stian Thorgersen <<a href="mailto:sthorger@redhat.com" target="_blank" class="">sthorger@redhat.com</a>> wrote:</div>
<br class="">
<div class="">
<div dir="ltr" class="">It is not currently possible to run multiple nodes without clustering. However, it's possible to configure JGroups to work on AWS. I can't remember the configuration required though, but if you search the user mailing list you'll find
instructions or google for JGroups and AWS.</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On 7 April 2016 at 10:22, Christian Schwarz <span dir="ltr" class="">
<<a href="mailto:christian@datek.no" target="_blank" class="">christian@datek.no</a>></span> wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Hi!<br class="">
<br class="">
I'm trying to setup a keycloak cluster on AWS, which does not support UDP multicast. IP addresses of the nodes are also not known in advance (I'm using docker-cloud), so Infinispan/JGroups ("keycloak-ha-posgres" docker image) for user session replication will
not work (seems that it requires either UDP multicast or IP addresses known in advance).<br class="">
<br class="">
The main problem I have is that logout is not working propertly. I only get logged out from one of the two keycloak nodes.<br class="">
<br class="">
I have tried to disable the user cache (by setting userCache.default.enabled = false) and to disable infinispan (by using “keycloak-postgres” docker image), but to no avail. The “other” keycloak node still thinks that the user is logged in, it’s not refreshing
the user session from the database even if user cache and infinispan cluster cache is disbled.<br class="">
<br class="">
=> Is there a possibility of using the database as a synchronization point between keycloak nodes? (i.e. each node always checks logout status in the database)<br class="">
Or is there another way of getting a keycloak cluster up and running on AWS when IP addresses are not known in advance?<br class="">
<br class="">
I hope there is a way… :)<br class="">
<br class="">
Kind regards,<br class="">
Christian<br class="">
<br class="">
_______________________________________________<br class="">
keycloak-user mailing list<br class="">
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank" class="">keycloak-user@lists.jboss.org</a><br class="">
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank" class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</body>
</html>