These problems only happen when a cluster node dies? If so:
How are you setting up the distributed cache for user sessions? If you
have only 1 owner, then the session is only replicated on one node.
This is the default behavior.
<distributed-cache name="sessions" mode="SYNC"
owners="1"/>
302 redirects should not be cached by the browser unless a Cache-Control
header is set. Do you have a filter doing this?
Hi,
So it looks like the previous fix to the logout URL did the trick.
I've now run into a much harder to solve problem (and harder to
describe). We are inconsistently able to login to our client
applications using keycloak for authentication. Trying the same
username+password has about an 80% chance of logging you in correctly.
It has a 15% chance of logging you in correctly if a keycloak node
within a keycloak cluster dies. I made up the %'s but its based on
what we are observing. So a user is actually able to login in the
sense of putting in a username+password and getting redirected to the
client applications, after that things may or may not go wrong. Often
times they will access the client application with the correct role
and everything will work ok. Sometimes though if something goes wrong
they will be redirected back to the client and will not be able to
access the client correctly. The below stacktraces usually show up in
those cases. I think it might be related to keycloak cache + browser
cache having weird issues as the only way to I've seen to resolve this
issues is to destroy the session cache within keycloak and get rid of
the browser cache (browser cache is more of a fault of the client app
probably). Even with this it can take multiple attempts before a user
regains the ability to go to the keycloak admin page and still may or
may not lead to a successful redirect to the client with a correctly
authenticated account (could start this whole weird loop again with
the stracktraces below). I don't know if anyone has come into an issue
like this. I was also hoping to find examples of client applications
that have their own accounts which somehow get mapped to keycloak
accounts but I haven't seen any.
Environment
------------------------
- keycloak 1.9.1.Final
- running using standalone-HA.xml
- using JGroups+JDBC_Ping
- postgres database
- on AWS
- some global roles (set on user accounts)
Client
------------
- running on Wildfly10
- using keycloak subsystem
- client protocol = openid-connect
- access type = confidential
- standard flow enabled
- client authenticator = client id and secret
Keycloak 1.9.1 server error
-------------------------------------------
2016-04-14 01:20:11,112 WARN [org.keycloak.events] (default task-17)
type=CODE_TO_TOKEN_ERROR, realmId=1234-5678-9012-3456-7890,
clientId=some_wildfly_client, userId=null, ipAddress=123.456.789.0,
error=invalid_code, grant_type=authorization_code,
code_id=b2744ba1-7f74-4849-8077-b17659af3095,
client_auth_method=client-secret
2016-04-14 01:29:27,402 WARN [org.keycloak.events] (default task-2)
type=CODE_TO_TOKEN_ERROR, realmId=1234-5678-9012-3456-7890, clientId=
some_wildfly_client, userId=null, ipAddress=123.456.789.0,
error=invalid_code, grant_type=authorization_code,
code_id=58a57076-1f8e-404e-813b-13c31abe8efb,
client_auth_method=client-secret
2016-04-14 01:29:27,402 WARN [org.keycloak.events] (default task-2)
type=CODE_TO_TOKEN_ERROR, realmId=1234-5678-9012-3456-7890, clientId=
some_wildfly_client, userId=null, ipAddress=123.456.789.0,
error=invalid_code, grant_type=authorization_code,
code_id=58a57076-1f8e-404e-813b-13c31abe8efb,
client_auth_method=client-secret
Wildfly 10 client server error:
-----------------------------------------
01:29:27,410 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
(default task-13) [gwt_pc3q14cr_101 blah(a)example.com ] failed to turn
code into token
01:29:27,410 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
(default task-13) [gwt_pc3q14cr_101 blah(a)example.com ] status from
server: 400
01:29:27,410 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
(default task-13) [gwt_pc3q14cr_101 blah(a)example.com ]
{"error_description":"Code not
found","error":"invalid_grant"}
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user