[keycloak-dev] clustering Re: what's next for Alpha 3?
On 2/20/2014 4:36 AM, Marek Posolda wrote:
Some possible features I can think of:
-- Clustering support -- For example if I have load-balancer and two
keycloak servers "kc1" and "kc2" and client application doesn't
communicate directly with keycloak servers but it uses loadbalancer.
Then login request could be redirected by loadbalancer to "kc1" where is
created accessCode entry in TokenManager. But when client application
sends another request to load-balancer for exchanging code for
accessToken, it could be served by "kc2", which doesn't have this code
entry --> error. I did not test this scenario, but I am assuming that it
probably won't work due to this... Do we want to support this? I've also
created JIRA https://issues.jboss.org/browse/KEYCLOAK-323 which could be
related to this.
Clustering really f's up the oauth/openid flow. The only thing I could
think of was that the auth-code redirect URL could contain a signed URL
where the client goes to turn the code into a token. I was surprised, I
couldn't find anything in the OpenID Connect spec that covered this.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com