5:29 p.m.
Hi guys,
we have keycloak v7 configured to use clustered mode.
For that I configured the service to start using standalone-ha.xml
(we have puppet so all keycloaks should have identical config) and added
'proxy-address-forwarding="true" (I have one nginx as a reverse proxy
taking care of the https)
|<http-listener name="default"
proxy-address-forwarding="true"socket-binding="http"
redirect-socket="https" enable-http2="true"/>|
|
|
In front of the keycloaks I have a couple of HAProxies configured to use
tcp mode.
Front time to time, some users complain that they cannot login.
When I check the logs I see something like:
{"loggerTimestamp":"2019-11-11T15:41:43.647+01:00","sequence":6354,"loggerClassName":"org.jboss.logging.Logger","loggerName":"org.keycloak.events","level":"WARN","message":"type=CODE_TO_TOKEN_ERROR,
realmId=myrealm, clientId=myclient, userId=null,
ipAddress=111.222.30.198, error=invalid_code,
grant_type=authorization_code,
code_id=e24eaa47-adfd-48bc-a3bb-4f1fbe4ba59b,
client_auth_method=client-secret","threadName":"default
task-45","threadId":327,"mdc":{},"ndc":"","hostName":"keycloak-59cd3c0b11.mycompany.com","processName":"jboss-modules.jar","processId":12591
}
Do you know what might be happening?
There is not a lot of documentation on how to properly configure
clustered mode.
Thanks a lot.
Daniel.
1:14 p.m.
Hi Daniel,
We also have these occasional errors in load test setups.
I would assume in this case the cache sync is slower than your client tries to exchange
the authcode for the token.
Since the client is a different entity from the user browser, it might end up on a
different Keycloak node than the one that generated the authcode even if you have sticky
sessions.
Maybe you can do a little tuning on the Infinispan cache configuration, but I fear I am
not of much help there.
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Open Source Services (INST-CSS/BSV-OS2)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY |
www.bosch-si.com
Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Telefax +49 30 726112-100 |
Sebastian.Schuster(a)bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber,
Michael Hahn, Dr. Aleksandar Mitrovic
-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
Im Auftrag von Daniel Fernández Rodríguez
Gesendet: Montag, 11. November 2019 17:29
An: keycloak-user <keycloak-user(a)lists.jboss.org>
Betreff: [keycloak-user] CODE_TO_TOKEN_ERROR and clustered mode
Hi guys,
we have keycloak v7 configured to use clustered mode.
For that I configured the service to start using standalone-ha.xml
(we have puppet so all keycloaks should have identical config) and added
'proxy-address-forwarding="true" (I have one nginx as a reverse proxy taking
care of the https)
|<http-listener name="default"
proxy-address-forwarding="true"socket-binding="http"
redirect-socket="https" enable-http2="true"/>|
|
|
In front of the keycloaks I have a couple of HAProxies configured to use
tcp mode.
Front time to time, some users complain that they cannot login.
When I check the logs I see something like:
{"loggerTimestamp":"2019-11-11T15:41:43.647+01:00","sequence":6354,"loggerClassName":"org.jboss.logging.Logger","loggerName":"org.keycloak.events","level":"WARN","message":"type=CODE_TO_TOKEN_ERROR,
realmId=myrealm, clientId=myclient, userId=null,
ipAddress=111.222.30.198, error=invalid_code,
grant_type=authorization_code,
code_id=e24eaa47-adfd-48bc-a3bb-4f1fbe4ba59b,
client_auth_method=client-secret","threadName":"default
task-45","threadId":327,"mdc":{},"ndc":"","hostName":"keycloak-59cd3c0b11.mycompany.com","processName":"jboss-modules.jar","processId":12591
}
Do you know what might be happening?
There is not a lot of documentation on how to properly configure
clustered mode.
Thanks a lot.
Daniel.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1600
days inactive
1621
days old
1 comments
2 participants
participants (2)
-
Daniel Fernández Rodríguez -
Schuster Sebastian (INST-CSS/BSV-OS2)