Re: [keycloak-dev] Facing Issue with Resource Server in Clustered Environment

We have verified it, session replication is happening without issue. We found one JIRA which seems somewhat relevant to our issue. We are currently using Keycloak 1.0.4.Final release, however this JIRA got fixed in later version. So we will upgrade to 1.1.0.Final and see it that helps. https://issues.jboss.org/browse/KEYCLOAK-743 Cookie as token-store can definitely help. Although, wo would like to know whether distributable (replicated http session) without sticky session is supported by adapter. Thanks Bappaditya Gorai From: Marek Posolda [mailto:mposolda@redhat.com] Sent: Friday, February 06, 2015 2:34 PM To: Bappaditya Gorai (bgorai); Stian Thorgersen Cc: keycloak-dev(a)lists.jboss.org Subject: Re: [keycloak-dev] Facing Issue with Resource Server in Clustered Environment It looks there might be issue with session replication in your environment. When you bootstrap your domain with cluster nodes, are you seeing message in the log similar to: INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-10,shared=udp) ISPN000094: Received new cluster view: [node1/web|1] (2) [node1/web, node2/web] Does it help if you try to switch to "token-store": "cookie" in the adapter configuration of your application? Thanks, Marek On 5.2.2015 06:45, Bappaditya Gorai (bgorai) wrote: Please find my response inline for your queries. Thanks Bappaditya Gorai From: Marek Posolda [mailto:mposolda@redhat.com] Sent: Wednesday, February 04, 2015 8:06 PM To: Bappaditya Gorai (bgorai); Stian Thorgersen Cc: keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org> Subject: Re: [keycloak-dev] Facing Issue with Resource Server in Clustered Environment Hi, I am not sure about the details of your environment. You mentioned that you're not interested in clustering of keycloak server. So am I understand correctly that you have just 1 node as keycloak server and 2 nodes with your application deployed? [[Bappaditya]] Yes, only one instance of keycloak Server (Running in standalone mode). My Application is deployed in 2 nodes (cluster) and running in domain mode. Are you using "distributable" tag in web.xml of your app on both nodes to ensure session replication? [[Bappaditya]] Yes, Application is using "distributable" tag in web.xml. Are you using loadbalancer? [[Bappaditya]] We are using mod_cluster & httpd. Sticky sessions disabled. Marek On 4.2.2015 13:37, Bappaditya Gorai (bgorai) wrote: Thanks for the detailed description. Still, It seems in case of Clustered Resource environment (distributable without Sticky sessions) we are relying on session replication to happen immediately between CODE_TO_TOKEN and Resource Hit(302), which may or may not happen. We are now facing the same issue where After CODE_TO_TOKEN client is redirected to Login URL again. Are we addressing this scenario with 1.1.0 Final ? Thanks Bappaditya Gorai -----Original Message----- From: Marek Posolda [mailto:mposolda@redhat.com] Sent: Monday, February 02, 2015 2:00 PM To: Bappaditya Gorai (bgorai); Stian Thorgersen Cc: keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org> Subject: Re: [keycloak-dev] Facing Issue with Resource Server in Clustered Environment Hi, it's not stateless by default. Data about keycloak authenticated principal are saved in HTTP session by default and can be replicated across cluster nodes (replication works as long as your application is marked as "distributable" in web.xml). However we support stateless adapter, which won't save anything in HTTP Session and won't create HTTP session and JSESSIONID cookie at all (unless you're calling httpRequest.getSession() in your own application). Instead all the data are saved in cookie. Some more info in docs: http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/applicatio... Marek On 30.1.2015 11:26, Bappaditya Gorai (bgorai) wrote: