I am not able to reproduce it but it is happening constantly. I think what
I can confirm is that if I play around with the authorization stuff
(resource/policy/permission) of a realm, then there is a good chance the
cache for that realm gets screwed up. I will let you know if I find a way
to reproduce it.
For the meantime is there a config fix for this caching issue?
Thanks
On Tue, Jun 11, 2019 at 4:39 AM Pedro Igor Silva <psilva(a)redhat.com> wrote:
I've tried different changes to settings and I think I got one.
Could you
confirm that you are changing a resource permission by replacing the type
with a specific resource ?
On Mon, Jun 10, 2019 at 4:36 PM Farzad Panahi <farzad.panahi(a)gmail.com>
wrote:
> Hi Pedro,
>
> I think I can say that it happens after changing the authorization
> settings. For instance I add resources/policies/permissions.
>
> To get the permissions (in Kotlin):
> - I get the access token from KeycloakSecurityContext
> accessToken = getKeycloakSecurityContext().tokenString
>
> - Create AuthzClient and send access token and an instance of
> AuthorizaionRequest to it and extract the RPT:
> rpt =
> authzClient.authorization(accessToken).authorize(AuthorizationRequest()).token
>
> - Then using the AuthzClient again I call the introspect RPT API to get
> the guts of RPT and get the permissions:
> permissions =
> authzClient.protection().introspectRequestingPartyToken(rpt).permissions
>
> It is this permissions object that is not consistent between two nodes.
>
>
> Cheers
>
> Farzad
>
> On Mon, Jun 10, 2019 at 5:11 AM Pedro Igor Silva <psilva(a)redhat.com>
> wrote:
>
>> Hi,
>>
>> Does it happen after changing anything in your client's authorization
>> settings (eg.: resources, scopes, permissions, etc) ?
>>
>> How are you sending authorization requests? By passing a set of one or
>> more permission parameters, obtaining all permissions or using a UMA ticket
>> ?
>>
>> Regards.
>> Pedro Igor
>>
>> On Sat, Jun 8, 2019 at 12:50 AM Farzad Panahi <farzad.panahi(a)gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I have two Keycloak nodes (4.8.3) in standalone cluster mode. I have a
>>> load-balancer in front of them. I noticed that sometimes I am getting
>>> inconsistent RPTs meaning that I send two queries and the two RPTs
>>> returned
>>> have different granted permissions in them.
>>>
>>> So I wend behind the load-balancer and queried each node individually.
>>> It
>>> turns out that one of the nodes is always returning wrong set of
>>> permissions in RPT.
>>>
>>> If I go to the admin console and clear the realm cache, then both nodes
>>> would return the same correct permissions right away.
>>>
>>> This is so intermittent. I am not sure what is causing this. I cannot
>>> find
>>> any clue in the logs. There is not much out there. I do not know how to
>>> reproduce this.
>>>
>>> Anyone with similar issue? Any suggestions?
>>>
>>> Cheers
>>>
>>> Farzad
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>