[keycloak-dev] Resolving of relative redirectUri in cluster

Marek Posolda mposolda at redhat.com
Mon Sep 29 02:38:58 EDT 2014


I wonder if it's ok to add possibility to WildFly/AS7 adapter for 
alternative resolving of relative redirectUris. Currently it's always 
retrieved from HTTP request sent by browser (ie. with relative uri 
"/auth" and HTTP request is "http://localhost:8080/customer-portal" then 
adapter is able to resolve the URI to "http://localhost:8080/auth"). Is 
it ok to have possibility (perhaps boolean config option on adapter like 
"preserve-hostname") to resolve them from the actual hostname instead of 
browser request? Usually it's not much difference, but in cluster there 
might be scenario like:
- Setup with loadbalancer on "http://frontend:8080" and 2 backend 
cluster nodes "http://backend-node1:8080" and "http://backend-node2:8080"
- Then user filled login form. Now assume that request request with 
code+state is processed on 
"http://backend-node1:8080/customer-portal?code=...&state=..." . Now 
adapter sends codeToToken exchanging request  to relative URI, which is 
resolved from browser to "http://frontend:8080". So adapter sends 
request to loadbalancer, which is then resended back to one of backend 
nodes. So 2 additional network hops needed.

So when there is possibility to resolve relative URI from hostname, then 
backend-node1 will send exchanging request to itself instead of going 
through loadbalancer. In cluster it should help to save performance and 
reduce network communication.

Note that this will be configurable and will be used by adapters just 
for backend requests (codeToToken, refresh token etc). All browser 
redirects will still need to go through loadbalancer IMO, in usual 
cluster environments are cluster nodes hidden in private network and URI 
like "http://backend-node1:8080/auth" may not be available for users.

wdyt?

Marek


More information about the keycloak-dev mailing list