Re: [keycloak-dev] clustering Re: what's next for Alpha 3?

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Marek Posolda" <mposolda(a)redhat.com&gt;, keycloak-dev(a)lists.jboss.org Sent: Thursday, 20 February, 2014 3:47:35 PM Subject: [keycloak-dev] clustering Re: what's next for Alpha 3? On 2/20/2014 4:36 AM, Marek Posolda wrote: > Some possible features I can think of: > > -- Clustering support -- For example if I have load-balancer and two > keycloak servers "kc1" and "kc2" and client application doesn't > communicate directly with keycloak servers but it uses loadbalancer. > Then login request could be redirected by loadbalancer to "kc1" where is > created accessCode entry in TokenManager. But when client application > sends another request to load-balancer for exchanging code for > accessToken, it could be served by "kc2", which doesn't have this code > entry --> error. I did not test this scenario, but I am assuming that it > probably won't work due to this... Do we want to support this? I've also > created JIRA https://issues.jboss.org/browse/KEYCLOAK-323 which could be > related to this. > Clustering really f's up the oauth/openid flow. The only thing I could think of was that the auth-code redirect URL could contain a signed URL where the client goes to turn the code into a token. I was surprised, I couldn't find anything in the OpenID Connect spec that covered this.

-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev