Re: [keycloak-user] Standalone HA tokens not immediately shared among nodes
Thanks for letting us know DV!
Setting the number of owners equal to the cluster size doesn't make any
sense. You might use a replicated cache in that scenarios (which works the
same way apart from some Infinispan internal behavior, which can be omitted
in your case). Could you please paste your Infinispan configuration? Maybe
there's some hint there...
Thanks,
Seb
On Tue, Sep 18, 2018 at 11:02 PM D V <dv(a)glyphy.com> wrote:
The issue was resolved in a somewhat unexpected way. I had a custom
org.keycloak.storage.UserStorageProviderFactory SPI registered that
returned providers
implementing org.keycloak.storage.user.UserLookupProvider,
but org.keycloak.storage.user.UserLookupProvider#getUserById method wasn't
fully filled out. I just had it return null. It wasn't obvious to me that
it was required (or under what circumstances). Once I implemented it, the
experiments in my original message passed. I did have to set owners to 2
for the "sessions" and "clientSessions" distributed cache infinispan
configs.
One thing I noticed is that node2 (the one that doesn't get hit on the
initial password auth) has to do a lookup via getUserById the first time it
handles a grant_type=refresh_token auth. Is the data it needs not shared
across the cluster? It seems to be cached only locally on the node. Just as
a test I tried to set all configured non-local caches to be replicated and
it didn't help. Any thoughts about this?
Thanks,
DV
>