Hi Pedro,
I think I can say that it happens after changing the authorization
settings. For instance I add resources/policies/permissions.
To get the permissions (in Kotlin):
- I get the access token from KeycloakSecurityContext
accessToken = getKeycloakSecurityContext().tokenString
- Create AuthzClient and send access token and an instance of
AuthorizaionRequest to it and extract the RPT:
rpt =
authzClient.authorization(accessToken).authorize(AuthorizationRequest()).token
- Then using the AuthzClient again I call the introspect RPT API to get the
guts of RPT and get the permissions:
permissions =
authzClient.protection().introspectRequestingPartyToken(rpt).permissions
It is this permissions object that is not consistent between two nodes.
Cheers
Farzad
On Mon, Jun 10, 2019 at 5:11 AM Pedro Igor Silva <psilva(a)redhat.com> wrote:
Hi,
Does it happen after changing anything in your client's authorization
settings (eg.: resources, scopes, permissions, etc) ?
How are you sending authorization requests? By passing a set of one or
more permission parameters, obtaining all permissions or using a UMA ticket
?
Regards.
Pedro Igor
On Sat, Jun 8, 2019 at 12:50 AM Farzad Panahi <farzad.panahi(a)gmail.com>
wrote:
> Hi,
>
> I have two Keycloak nodes (4.8.3) in standalone cluster mode. I have a
> load-balancer in front of them. I noticed that sometimes I am getting
> inconsistent RPTs meaning that I send two queries and the two RPTs
> returned
> have different granted permissions in them.
>
> So I wend behind the load-balancer and queried each node individually. It
> turns out that one of the nodes is always returning wrong set of
> permissions in RPT.
>
> If I go to the admin console and clear the realm cache, then both nodes
> would return the same correct permissions right away.
>
> This is so intermittent. I am not sure what is causing this. I cannot find
> any clue in the logs. There is not much out there. I do not know how to
> reproduce this.
>
> Anyone with similar issue? Any suggestions?
>
> Cheers
>
> Farzad
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>