[keycloak-dev] Resolving of relative redirectUri in cluster
Marek Posolda
mposolda at redhat.com
Mon Sep 29 02:38:58 EDT 2014
I wonder if it's ok to add possibility to WildFly/AS7 adapter for
alternative resolving of relative redirectUris. Currently it's always
retrieved from HTTP request sent by browser (ie. with relative uri
"/auth" and HTTP request is "http://localhost:8080/customer-portal" then
adapter is able to resolve the URI to "http://localhost:8080/auth"). Is
it ok to have possibility (perhaps boolean config option on adapter like
"preserve-hostname") to resolve them from the actual hostname instead of
browser request? Usually it's not much difference, but in cluster there
might be scenario like:
- Setup with loadbalancer on "http://frontend:8080" and 2 backend
cluster nodes "http://backend-node1:8080" and "http://backend-node2:8080"
- Then user filled login form. Now assume that request request with
code+state is processed on
"http://backend-node1:8080/customer-portal?code=...&state=..." . Now
adapter sends codeToToken exchanging request to relative URI, which is
resolved from browser to "http://frontend:8080". So adapter sends
request to loadbalancer, which is then resended back to one of backend
nodes. So 2 additional network hops needed.
So when there is possibility to resolve relative URI from hostname, then
backend-node1 will send exchanging request to itself instead of going
through loadbalancer. In cluster it should help to save performance and
reduce network communication.
Note that this will be configurable and will be used by adapters just
for backend requests (codeToToken, refresh token etc). All browser
redirects will still need to go through loadbalancer IMO, in usual
cluster environments are cluster nodes hidden in private network and URI
like "http://backend-node1:8080/auth" may not be available for users.
wdyt?
Marek
More information about the keycloak-dev
mailing list