9:24 a.m.
Hi Keycloak devs/users,
We are trying to wrap our heads around how we might deploy Keycloak in a PROD with DR
failover topology and are running into a concern with the client secret being different
between the clusters.
We have two separate Keycloak clusters with their own databases for our PROD and DR
datacenters. As part of initial one-time client setup when we register the client in the
PROD cluster we also register the same client in our DR cluster. The configuration for the
client is identical between the two clusters except for the client secret which is
generated by Keycloak.
When there is a DR event for Keycloak (either failure or scheduled maintenance) we have
the ability to repoint the URL for the PROD Keycloak to the DR Keycloak cluster. We don’t
change anything else. Unfortunately the PROD clients will not be able to establish SSO
with the DR cluster because the client secret is different.
We’ve considered instead of using the Keycloak APIs to register the client in both
clusters (thereby having different client secrets) to register the client in one cluster
and use database scripts to push the same configuration to the other cluster database and
thereby keep the secrets the same.
I was wondering if others have run into this limitation and how you may have solved for
it. Also we are on Keycloak 2.5 (for RH-SSO support purposes). This might be addressed in
the upcoming release of Keycloak with multi-datacenter support. But that is currently not
an option for us.
Thanks in advance for your insight.
-sud
10:47 p.m.
Why not just do DB replication?
On 18 Oct 2017 10:33 pm, "Sud Ramasamy" <to_sud(a)yahoo.com> wrote:
Hi Keycloak devs/users,
We are trying to wrap our heads around how we might deploy Keycloak in a
PROD with DR failover topology and are running into a concern with the
client secret being different between the clusters.
We have two separate Keycloak clusters with their own databases for our
PROD and DR datacenters. As part of initial one-time client setup when we
register the client in the PROD cluster we also register the same client in
our DR cluster. The configuration for the client is identical between the
two clusters except for the client secret which is generated by Keycloak.
When there is a DR event for Keycloak (either failure or scheduled
maintenance) we have the ability to repoint the URL for the PROD Keycloak
to the DR Keycloak cluster. We don’t change anything else. Unfortunately
the PROD clients will not be able to establish SSO with the DR cluster
because the client secret is different.
We’ve considered instead of using the Keycloak APIs to register the client
in both clusters (thereby having different client secrets) to register the
client in one cluster and use database scripts to push the same
configuration to the other cluster database and thereby keep the secrets
the same.
I was wondering if others have run into this limitation and how you may
have solved for it. Also we are on Keycloak 2.5 (for RH-SSO support
purposes). This might be addressed in the upcoming release of Keycloak with
multi-datacenter support. But that is currently not an option for us.
Thanks in advance for your insight.
-sud
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:15 a.m.
With our need to treat the two clusters as being independent, we did consider scripting
the replication of the configuration data from one db to the other. But we’d have to be
selective about what we replicate and update the script as the schema changes with
upgrades.
We’re now looking at using signed JWT as the client authentication mechanism instead of
the Keycloak generated secret. So long as we use the same key’s and certificates between
the PROD and DR configuration it appears that this should solve this issue.
Thoughts?
-sud
On October 18, 2017 at 11:47:56 PM, Stian Thorgersen (sthorger(a)redhat.com) wrote:
Why not just do DB replication?
On 18 Oct 2017 10:33 pm, "Sud Ramasamy" <to_sud(a)yahoo.com> wrote:
Hi Keycloak devs/users,
We are trying to wrap our heads around how we might deploy Keycloak in a PROD with DR
failover topology and are running into a concern with the client secret being different
between the clusters.
We have two separate Keycloak clusters with their own databases for our PROD and DR
datacenters. As part of initial one-time client setup when we register the client in the
PROD cluster we also register the same client in our DR cluster. The configuration for the
client is identical between the two clusters except for the client secret which is
generated by Keycloak.
When there is a DR event for Keycloak (either failure or scheduled maintenance) we have
the ability to repoint the URL for the PROD Keycloak to the DR Keycloak cluster. We don’t
change anything else. Unfortunately the PROD clients will not be able to establish SSO
with the DR cluster because the client secret is different.
We’ve considered instead of using the Keycloak APIs to register the client in both
clusters (thereby having different client secrets) to register the client in one cluster
and use database scripts to push the same configuration to the other cluster database and
thereby keep the secrets the same.
I was wondering if others have run into this limitation and how you may have solved for
it. Also we are on Keycloak 2.5 (for RH-SSO support purposes). This might be addressed in
the upcoming release of Keycloak with multi-datacenter support. But that is currently not
an option for us.
Thanks in advance for your insight.
-sud
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:41 p.m.
We use the admin api to register clients via json:
/bin/kcadm.sh create clients
This lets us specify the client details including the secret, we do this to provision all
our clients via ansible to any instance that is required.
Matt
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Sud Ramasamy
Sent: Friday, 20 October 2017 1:16 AM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] failover scenario
With our need to treat the two clusters as being independent, we did consider scripting
the replication of the configuration data from one db to the other. But we’d have to be
selective about what we replicate and update the script as the schema changes with
upgrades.
We’re now looking at using signed JWT as the client authentication mechanism instead of
the Keycloak generated secret. So long as we use the same key’s and certificates between
the PROD and DR configuration it appears that this should solve this issue.
Thoughts?
-sud
On October 18, 2017 at 11:47:56 PM, Stian Thorgersen (sthorger(a)redhat.com) wrote:
Why not just do DB replication?
On 18 Oct 2017 10:33 pm, "Sud Ramasamy" <to_sud(a)yahoo.com> wrote:
Hi Keycloak devs/users,
We are trying to wrap our heads around how we might deploy Keycloak in a PROD with DR
failover topology and are running into a concern with the client secret being different
between the clusters.
We have two separate Keycloak clusters with their own databases for our PROD and DR
datacenters. As part of initial one-time client setup when we register the client in the
PROD cluster we also register the same client in our DR cluster. The configuration for the
client is identical between the two clusters except for the client secret which is
generated by Keycloak.
When there is a DR event for Keycloak (either failure or scheduled maintenance) we have
the ability to repoint the URL for the PROD Keycloak to the DR Keycloak cluster. We don’t
change anything else. Unfortunately the PROD clients will not be able to establish SSO
with the DR cluster because the client secret is different.
We’ve considered instead of using the Keycloak APIs to register the client in both
clusters (thereby having different client secrets) to register the client in one cluster
and use database scripts to push the same configuration to the other cluster database and
thereby keep the secrets the same.
I was wondering if others have run into this limitation and how you may have solved for
it. Also we are on Keycloak 2.5 (for RH-SSO support purposes). This might be addressed in
the upcoming release of Keycloak with multi-datacenter support. But that is currently not
an option for us.
Thanks in advance for your insight.
-sud
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:48 a.m.
Having two completely separate and independent clusters seems very limited,
error prone and hard to manage IMO. What about things like user sessions,
required actions, users, dynamic client registration, etc.. None of those
things will work properly if you don't have it propagated to the two
clusters.
By the way we are working on introducing cross DC support. See the recent
blog post for an early preview that can be tried out.
On 19 October 2017 at 16:15, Sud Ramasamy <to_sud(a)yahoo.com> wrote:
With our need to treat the two clusters as being independent, we did
consider scripting the replication of the configuration data from one db to
the other. But we’d have to be selective about what we replicate and update
the script as the schema changes with upgrades.
We’re now looking at using signed JWT as the client authentication
mechanism instead of the Keycloak generated secret. So long as we use the
same key’s and certificates between the PROD and DR configuration it
appears that this should solve this issue.
Thoughts?
-sud
On October 18, 2017 at 11:47:56 PM, Stian Thorgersen (sthorger(a)redhat.com)
wrote:
Why not just do DB replication?
On 18 Oct 2017 10:33 pm, "Sud Ramasamy" <to_sud(a)yahoo.com> wrote:
Hi Keycloak devs/users,
We are trying to wrap our heads around how we might deploy Keycloak in a
PROD with DR failover topology and are running into a concern with the
client secret being different between the clusters.
We have two separate Keycloak clusters with their own databases for our
PROD and DR datacenters. As part of initial one-time client setup when we
register the client in the PROD cluster we also register the same client in
our DR cluster. The configuration for the client is identical between the
two clusters except for the client secret which is generated by Keycloak.
When there is a DR event for Keycloak (either failure or scheduled
maintenance) we have the ability to repoint the URL for the PROD Keycloak
to the DR Keycloak cluster. We don’t change anything else. Unfortunately
the PROD clients will not be able to establish SSO with the DR cluster
because the client secret is different.
We’ve considered instead of using the Keycloak APIs to register the client
in both clusters (thereby having different client secrets) to register the
client in one cluster and use database scripts to push the same
configuration to the other cluster database and thereby keep the secrets
the same.
I was wondering if others have run into this limitation and how you may
have solved for it. Also we are on Keycloak 2.5 (for RH-SSO support
purposes). This might be addressed in the upcoming release of Keycloak with
multi-datacenter support. But that is currently not an option for us.
Thanks in advance for your insight.
-sud
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2625
days inactive
2627
days old
4 comments
3 participants
participants (3)
-
Matt Evans -
Stian Thorgersen -
Sud Ramasamy