On 19/05/17 16:19, Bill Burke wrote:
> * Won't the regular case be that the load balancer generates the
> affinity cookie or doesn't have a cookie at all? HA-Proxy is quite
> popular and they have both options.
Yes, that's also what Sebastien Schuster from community mentioned in
other thread. That's why I've added StickySessionEncoderProvider as
SPI, so it's easily possible to disable Keycloak adding route to the
cookie, or sticky request based on something different than cookie
(eg. path parameter).
However having Keycloak itself to choose the route has one big
performance advantage, that it can route to the node, who is owner of
the entry in the infinispan distributed cache. This includes also
support for rebalance (owner may change when new node joins/leaves
cluster, then you change route automatically). This is what Wildfly is
doing for Http sessions too.
We discussed the integration with KeyAffinityService [1], which helps
with usecase when loadbalancer generates route to the cookie. It
ensures that generated session ID will be local to current node. Hence
loadbalancer can use request node as the route and session will be
local to it. But this doesn't handle rebalance, so IMO preferred
option is still to let Keycloak to append route.
There is also infinispan grouping API I want to look at.
[1]
http://infinispan.org/docs/stable/user_guide/user_guide.html#KeyAffinityS...
> * @ 18:25 in bluejeans session, The "You are already logged in" screen.
> What happens when the use clicks "proceed"? Does the SAML or OIDC
> request continue as normal? Or are you calculating the URI on the
> application to redirect to, if so, why?
No, this is just link to client base URI, and then new flow can be
started from the application. ATM authenticationSession may be already
removed as user logged already in different browser tab etc, so there
is no flow to continue with.
Currently there is just userSession available and the client
application used for "Back to application" is the last authenticated
client in userSession. I am going to improve it and use "client_id"
parameter in requests, so in case of expired session, already
authentication session etc, you would always know the client from the
"client_id" parameter. Details in the other ML thread "Provide a Link
to go Back to The Application on a Timeout" .
Why do you need this page? Why can't you just proceed with the
OIDC/SAML protocol?
Bill