Re: [keycloak-dev] clustering Re: what's next for Alpha 3?

On 2/20/2014 4:36 AM, Marek Posolda wrote: > Some possible features I can think of: > > -- Clustering support -- For example if I have load-balancer and two > keycloak servers "kc1" and "kc2" and client application doesn't > communicate directly with keycloak servers but it uses loadbalancer. > Then login request could be redirected by loadbalancer to "kc1" where is > created accessCode entry in TokenManager. But when client application > sends another request to load-balancer for exchanging code for > accessToken, it could be served by "kc2", which doesn't have this code > entry --> error. I did not test this scenario, but I am assuming that it > probably won't work due to this... Do we want to support this? I've also > created JIRA https://issues.jboss.org/browse/KEYCLOAK-323 which could be > related to this. > Clustering really f's up the oauth/openid flow. The only thing I could think of was that the auth-code redirect URL could contain a signed URL where the client goes to turn the code into a token. I was surprised, I couldn't find anything in the OpenID Connect spec that covered this.