Re: [keycloak-dev] Sticky sessions in backchannel requests

On 19/05/17 15:21, Bill Burke wrote: > This issue comes up in: > > * code to token > > * refresh token > > * backchannel logout > > * access token validation (bearer token authentication) > > * Authorization and RPT > > * Token exchange > > Any others? > > We need to get on OIDC lists and discuss these types of issues so that > they can get standardized. Good point. I can try to start discussion there. > > Other thoughts: > > * What if you talk to the node directly by providing a URL claim in the > token or code? The issue with that is that since we derive a lot of > things from the hostname of the request, we will need the ability to > override this. You mean to bypass loadbalancer entirely and let the application talk to the backend node directly? Besides the hostname issue, there is another one, that backend node may not be directly available. Those are typically on private networks and it can be different private network that application is using. That was the case for example in RedHat IT environment. BTV. We already had similar possibility in adapter to directly talk to backend node in backchannel requests. Instead of lookup the backend node URL from claim, we had the option in adapter configuration "auth-server-url-for-backend-requests" . But the option was removed due those issues like hostname, verifications of "iss" claim in tokens etc.