CODE_TO_TOKEN_ERROR and clustered mode
by Daniel Fernández Rodríguez
Hi guys,
we have keycloak v7 configured to use clustered mode.
For that I configured the service to start using standalone-ha.xml
(we have puppet so all keycloaks should have identical config) and added
'proxy-address-forwarding="true" (I have one nginx as a reverse proxy
taking care of the https)
|<http-listener name="default"
proxy-address-forwarding="true"socket-binding="http"
redirect-socket="https" enable-http2="true"/>|
|
|
In front of the keycloaks I have a couple of HAProxies configured to use
tcp mode.
Front time to time, some users complain that they cannot login.
When I check the logs I see something like:
{"loggerTimestamp":"2019-11-11T15:41:43.647+01:00","sequence":6354,"loggerClassName":"org.jboss.logging.Logger","loggerName":"org.keycloak.events","level":"WARN","message":"type=CODE_TO_TOKEN_ERROR,
realmId=myrealm, clientId=myclient, userId=null,
ipAddress=111.222.30.198, error=invalid_code,
grant_type=authorization_code,
code_id=e24eaa47-adfd-48bc-a3bb-4f1fbe4ba59b,
client_auth_method=client-secret","threadName":"default
task-45","threadId":327,"mdc":{},"ndc":"","hostName":"keycloak-59cd3c0b11.mycompany.com","processName":"jboss-modules.jar","processId":12591
}
Do you know what might be happening?
There is not a lot of documentation on how to properly configure
clustered mode.
Thanks a lot.
Daniel.