[keycloak-dev] clustering Re: what's next for Alpha 3?

Bill Burke bburke at redhat.com
Thu Feb 20 10:47:35 EST 2014

On 2/20/2014 4:36 AM, Marek Posolda wrote:
> Some possible features I can think of:
> -- Clustering support -- For example if I have load-balancer and two
> keycloak servers "kc1" and "kc2" and client application doesn't
> communicate directly with keycloak servers but it uses loadbalancer.
> Then login request could be redirected by loadbalancer to "kc1" where is
> created accessCode entry in TokenManager. But when client application
> sends another request to load-balancer for exchanging code for
> accessToken, it could be served by "kc2", which doesn't have this code
> entry --> error. I did not test this scenario, but I am assuming that it
> probably won't work due to this... Do we want to support this? I've also
> created JIRA https://issues.jboss.org/browse/KEYCLOAK-323 which could be
> related to this.

Clustering really f's up the oauth/openid flow.  The only thing I could 
think of was that the auth-code redirect URL could contain a signed URL 
where the client goes to turn the code into a token.  I was surprised, I 
couldn't find anything in the OpenID Connect spec that covered this.

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-dev mailing list