9:20 a.m.
Hi,
Our backup product is using Keycloak for SSO. We are migrating all our users to a new
instance of keycloak in AWS environment. One of the requirement is all the existing
clients which is an agent on the user box running in background which does backup, should
not see any re-authentication or login window from their end after migration . User
initially login when they have first installed our product and they never see any login
any more(our client is non-intrusive, most users don't ever remember the login ), we
just refresh every 15 minutes get new set of tokens and so on... and it works for us. We
have tested locally where we have migrated the present keycloak database to our new
keycloak aws instance just by using pg_dump and restore command for database of keycloak
and we made sure the realm, redirect urls , client secrets are exactly same. We are
assuming if everything is exactly the same refresh tokens should still workand we can
avoid the login screen. Is this right assumption?
In our test what we have found is, we made a DNS swap where the client initially going
the old env gets routed to our new keycloak aws instance(We did CNAME change on the old
env to route traffic to new environment ). The reason for this Is to make sure our
redirect url does not change and the client could still talk to same old urls it is aware
of. Long story short, old key cloak env and new key cloak env has exactly same of
everything...What we have seen is that the client which is initalliay pointing to the
old env, after the migration and after doing the DNS switch the old tokens still work on
new environment. Once we remove the switch and when the clients go back to old env the
tokens still work. Is this a bug or is this expected?
Thanks,
Sai.
12:43 p.m.
New subject: Migrating Keycloak to AWS environment
It was posted:
http://lists.jboss.org/pipermail/keycloak-dev/2018-January/010272.html
Maybe you sent it twice and one copy was rejected?
On 2 January 2018 at 16:20, Kalidindi, Sai Soma Kala <
sai-soma-kala.kalidindi(a)microfocus.com> wrote:
Hi,
Our backup product is using Keycloak for SSO. We are migrating all our
users to a new instance of keycloak in AWS environment. One of the
requirement is all the existing clients which is an agent on the user box
running in background which does backup, should not see any
re-authentication or login window from their end after migration . User
initially login when they have first installed our product and they never
see any login any more(our client is non-intrusive, most users don't ever
remember the login ), we just refresh every 15 minutes get new set of
tokens and so on... and it works for us. We have tested locally where we
have migrated the present keycloak database to our new keycloak aws
instance just by using pg_dump and restore command for database of keycloak
and we made sure the realm, redirect urls , client secrets are exactly
same. We are assuming if everything is exactly the same refresh tokens
should still workand we can avoid the login screen. Is this right a!
ssumption?
In our test what we have found is, we made a DNS swap where the client
initially going the old env gets routed to our new keycloak aws
instance(We did CNAME change on the old env to route traffic to new
environment ). The reason for this Is to make sure our redirect url does
not change and the client could still talk to same old urls it is aware of.
Long story short, old key cloak env and new key cloak env has exactly same
of everything...What we have seen is that the client which is initalliay
pointing to the old env, after the migration and after doing the DNS switch
the old tokens still work on new environment. Once we remove the switch and
when the clients go back to old env the tokens still work. Is this a bug or
is this expected?
Thanks,
Sai.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
5:27 p.m.
New subject: Migrating Keycloak to AWS environment
Hi Sai,
I believe this is the expected behavior because in an HA setup, Keycloak doesn’t persist
user sessions to the database, they are stored in the Infinispan distributed cache. Only
offline sessions are persisted to the JPA data store.
A core Keycloak developer can correct me if I’m wrong, but this is what I see looking at
the latest Keycloak source code and it’s the case on the version we run.
~ Scott
Scott Rossillo
Smartling | Senior Software Engineer
srossillo(a)smartling.com
On Jan 2, 2018, at 10:20 AM, Kalidindi, Sai Soma Kala
<sai-soma-kala.kalidindi(a)microfocus.com> wrote:
Hi,
Our backup product is using Keycloak for SSO. We are migrating all our users to a new
instance of keycloak in AWS environment. One of the requirement is all the existing
clients which is an agent on the user box running in background which does backup, should
not see any re-authentication or login window from their end after migration . User
initially login when they have first installed our product and they never see any login
any more(our client is non-intrusive, most users don't ever remember the login ), we
just refresh every 15 minutes get new set of tokens and so on... and it works for us. We
have tested locally where we have migrated the present keycloak database to our new
keycloak aws instance just by using pg_dump and restore command for database of keycloak
and we made sure the realm, redirect urls , client secrets are exactly same. We are
assuming if everything is exactly the same refresh tokens should still workand we can
avoid the login screen. Is this right a!
ssumption?
In our test what we have found is, we made a DNS swap where the client initially going
the old env gets routed to our new keycloak aws instance(We did CNAME change on the old
env to route traffic to new environment ). The reason for this Is to make sure our
redirect url does not change and the client could still talk to same old urls it is aware
of. Long story short, old key cloak env and new key cloak env has exactly same of
everything...What we have seen is that the client which is initalliay pointing to the
old env, after the migration and after doing the DNS switch the old tokens still work on
new environment. Once we remove the switch and when the clients go back to old env the
tokens still work. Is this a bug or is this expected?
Thanks,
Sai.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:01 a.m.
New subject: Migrating Keycloak to AWS environment
Hi,
Thank you for your response. Just want to give few more details, the keycloak version we
are running is 1.9.8, our refresh tokens expire as soon as we get new set of access token
and refresh token(we have a setting in keycloak turned on for this). Right now what we
observe is the refresh token we got from old env is working on new env and vice versa.
Thanks,
Sai.
From: Scott Rossillo [mailto:srossillo@smartling.com]
Sent: Tuesday, January 02, 2018 6:28 PM
To: Kalidindi, Sai Soma Kala <sai-soma-kala.kalidindi(a)microfocus.com>
Cc: keycloak-dev(a)lists.jboss.org
Subject: Re: [keycloak-dev] Migrating Keycloak to AWS environment
Hi Sai,
I believe this is the expected behavior because in an HA setup, Keycloak doesn’t persist
user sessions to the database, they are stored in the Infinispan distributed cache. Only
offline sessions are persisted to the JPA data store.
A core Keycloak developer can correct me if I’m wrong, but this is what I see looking at
the latest Keycloak source code and it’s the case on the version we run.
~ Scott
Scott Rossillo
Smartling | Senior Software Engineer
srossillo@smartling.com<mailto:srossillo@smartling.com>
On Jan 2, 2018, at 10:20 AM, Kalidindi, Sai Soma Kala
<sai-soma-kala.kalidindi@microfocus.com<mailto:sai-soma-kala.kalidindi@microfocus.com>>
wrote:
Hi,
Our backup product is using Keycloak for SSO. We are migrating all our users to a new
instance of keycloak in AWS environment. One of the requirement is all the existing
clients which is an agent on the user box running in background which does backup, should
not see any re-authentication or login window from their end after migration . User
initially login when they have first installed our product and they never see any login
any more(our client is non-intrusive, most users don't ever remember the login ), we
just refresh every 15 minutes get new set of tokens and so on... and it works for us. We
have tested locally where we have migrated the present keycloak database to our new
keycloak aws instance just by using pg_dump and restore command for database of keycloak
and we made sure the realm, redirect urls , client secrets are exactly same. We are
assuming if everything is exactly the same refresh tokens should still workand we can
avoid the login screen. Is this right a!
ssumption?
In our test what we have found is, we made a DNS swap where the client initially going
the old env gets routed to our new keycloak aws instance(We did CNAME change on the old
env to route traffic to new environment ). The reason for this Is to make sure our
redirect url does not change and the client could still talk to same old urls it is aware
of. Long story short, old key cloak env and new key cloak env has exactly same of
everything...What we have seen is that the client which is initalliay pointing to the
old env, after the migration and after doing the DNS switch the old tokens still work on
new environment. Once we remove the switch and when the clients go back to old env the
tokens still work. Is this a bug or is this expected?
Thanks,
Sai.
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
1:37 p.m.
New subject: Migrating Keycloak to AWS environment
Hi Scott,
We are actually using offline tokens for our clients, when we login in initially we give
tag “offline” which gets us refresh and access tokens .
To elaborate more:
1) We use 1.9.8 version of keycloak. We have configured our keycloak realm to set
revoke refresh tokens, which means refresh tokens are revoked once used for refreshing.
2) We have 2 keycloak clusters.
3) Our client initially pointed to KC1 which is old environment .
4) Now the KC1 database and certs are migrated to KC2 our new environment .
5) Client refresh token which it got from old env works on new env, which makes sense
as I have migrated the keycloak database.
6) After of couple of days, client is moved to KC1 again. But the database is not
moved. KC1 still has the old database as of step 3.
7) Our logs show that client is sending a refresh token to KC1, which was issued by
KC2. This refresh is successfull
What we are not understanding that how KC1 is able to refresh the token which it does not
know ?
Thanks,
Sai.
From: Scott Rossillo [mailto:srossillo@smartling.com]
Sent: Tuesday, January 02, 2018 6:28 PM
To: Kalidindi, Sai Soma Kala <sai-soma-kala.kalidindi(a)microfocus.com>
Cc: keycloak-dev(a)lists.jboss.org
Subject: Re: [keycloak-dev] Migrating Keycloak to AWS environment
Hi Sai,
I believe this is the expected behavior because in an HA setup, Keycloak doesn’t persist
user sessions to the database, they are stored in the Infinispan distributed cache. Only
offline sessions are persisted to the JPA data store.
A core Keycloak developer can correct me if I’m wrong, but this is what I see looking at
the latest Keycloak source code and it’s the case on the version we run.
~ Scott
Scott Rossillo
Smartling | Senior Software Engineer
srossillo@smartling.com<mailto:srossillo@smartling.com>
On Jan 2, 2018, at 10:20 AM, Kalidindi, Sai Soma Kala
<sai-soma-kala.kalidindi@microfocus.com<mailto:sai-soma-kala.kalidindi@microfocus.com>>
wrote:
Hi,
Our backup product is using Keycloak for SSO. We are migrating all our users to a new
instance of keycloak in AWS environment. One of the requirement is all the existing
clients which is an agent on the user box running in background which does backup, should
not see any re-authentication or login window from their end after migration . User
initially login when they have first installed our product and they never see any login
any more(our client is non-intrusive, most users don't ever remember the login ), we
just refresh every 15 minutes get new set of tokens and so on... and it works for us. We
have tested locally where we have migrated the present keycloak database to our new
keycloak aws instance just by using pg_dump and restore command for database of keycloak
and we made sure the realm, redirect urls , client secrets are exactly same. We are
assuming if everything is exactly the same refresh tokens should still workand we can
avoid the login screen. Is this right a!
ssumption?
In our test what we have found is, we made a DNS swap where the client initially going
the old env gets routed to our new keycloak aws instance(We did CNAME change on the old
env to route traffic to new environment ). The reason for this Is to make sure our
redirect url does not change and the client could still talk to same old urls it is aware
of. Long story short, old key cloak env and new key cloak env has exactly same of
everything...What we have seen is that the client which is initalliay pointing to the
old env, after the migration and after doing the DNS switch the old tokens still work on
new environment. Once we remove the switch and when the clients go back to old env the
tokens still work. Is this a bug or is this expected?
Thanks,
Sai.
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2545
days inactive
2546
days old
4 comments
3 participants
participants (3)
-
Kalidindi, Sai Soma Kala -
Scott Rossillo -
Stian Thorgersen