If you are interested in just Keycloak 1.0 server running in cluster and not secured applications themselves, then just those 2 things are required:
1) Use 'jpa' or 'mongo' as userSession provider in keycloak-server.json and use shared database among all cluster nodes. By default keycloak is using 'mem' provider, which means that User sessions are stored in memory of particular keycloak server. This performs well, but is not cluster aware.
2) Disable both realm and user cache in admin console, as caches are also stored just in local memory.

Both (1) and (2) should ensure that your keycloak server will be cluster-safe, but they are quite bad for performance. From 1.1.0.Beta1 we have infinispan provider for user sessions, realm caches and user caches. This ensures both cluster-safety and good performance.

Marek

On 16.12.2014 17:18, Ruben Lopez wrote:
Thanks for the quick answers!

I couldn't find documentation about how to install Keycloak 1.0 in a clustered environment. I know that Keycloak 1.1 does have documentation about this but it is still in beta and the company I work for needs to know if there is a similar mechanism that can be implemented with Keycloak 1.0.

El Fri Dec 12 2014 at 6:44:00 AM, Marek Posolda <mposolda@redhat.com> escribió:
On 11.12.2014 18:07, Ruben Lopez wrote:
I have a couple more questions.

1) Will you implement the features requested in KEYCLOAK-402 and KEYCLOAK-405? If so, when?
Hard to say exactly, but looks that it will be quite soon as it is requirement from more people and potential customers . Hopefully in terms of weeks/months, but hard to promise exact date... I think it would require enhance our existing password policies, but those would be a bit harder to add than current simple policies as it will also require to store some info in database (like password expiration time and older passwords)

2) Are there any plans to support Integrated Windows Authentication?
You mean login to KC when user is already logged in windows domain? Yes, we have plan for add Kerberos/spnego soon and I think that it should solve windows domain authentication too. Hopefully around January.


Marek


Thanks :)

2014-11-28 5:04 GMT-03:00 Stian Thorgersen <stian@redhat.com>:


----- Original Message -----
> From: "Ruben Lopez" <rubenlop88@gmail.com>
> To: "Marek Posolda" <mposolda@redhat.com>
> Cc: keycloak-user@lists.jboss.org
> Sent: Thursday, 27 November, 2014 5:37:45 PM
> Subject: Re: [keycloak-user] Questions about keycloak
>
> Hi Marek,
>
> 2014-11-27 12:38 GMT-03:00 Marek Posolda < mposolda@redhat.com > :
>
>
>
>
>
> 1 - Is there any way to obtain an access token for an OAuth Client via Client
> Credentials[1]?
> You mean something like Service account like this from OAuth2 specs
> http://tools.ietf.org/html/rfc6749#page-40 ? We don't have that yet, but
> there are plans to support it afaik.
>
>
>
>
> Yes, I was talking about secction 4.4 Client Credentials Grant. Any idea
> about when it will be implemented?

I can't give you and exact date, but it's becoming more and more of a priority so should be within a few months. We also plan to add cert based authentication for clients.

In the mean-time you can work-around this issue by creating a user on behalf of the client and use Resource Owner Password Credentials Grant (section #4.3). Look at 'examples/preconfigured-demo/admin-access' in the download for an example.

>
>
>
>
>
>
> 2 - If we make a request to an Application (Resource Server) with an access
> token and this Application needs to talk to another protected Application to
> form the response to the client, how does the first Application
> authenticates to the second Application? Does Keycloak implements something
> like Chain Grant Type Profile[2]?
> yes, that is doable. We have an example where we have frontend application
> like 'customer-portal', which is able to retrieve accessToken from keycloak
> like here:
> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48
> and then use this accessToken to send request to backend application
> 'database-service' in Authorization header
> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L54
> . Database-service is then able to authenticate the token.
>
> Currently our database-service is directly serving requests and send back
> data, but it shouldn't be a problem to add another application to the chain,
> so that database-service will send the token again to another app like
> 'real-database-service', which will return data and those data will be sent
> back to the original frontent requestor (customer-portal). Is it something
> what you meant?
>
> Thats exactly what I meant. I will take a look at the example.
>
> Thank you very much.
>
>
>
>
>
> Marek
>
>
>
>
> Thanks in advance.
>
>
> _______________________________________________
> keycloak-user mailing list keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user