[keycloak-dev] sticky sessions
Marek Posolda
mposolda at redhat.com
Wed Dec 2 09:50:18 EST 2015
Not sure if callback URI will work, because application may be able to
see just the loadbalancer node and underlying cluster nodes might be
hidden from it.
For example if you have callback URI like
http://node1:8080/auth/.../token, application may not be able to
directly access host "node1" because it's hidden and application can
access just http://loadbalancer:8080 .
Marek
On 02/12/15 15:34, Bill Burke wrote:
> IMO, we need to highlight and document that when using a load balancer
> in a cluster, sticky sessions should be enabled. We might even want to
> consider adding support for sticky sessions for the code2token flow.
> The obvious reason is performance. Login can span multiple HTTP
> requests. If you have N nodes in the cluster with no clustering you
> have the possibility of the same user being retrieved from the database
> N times. One time for each authentication request (username/password,
> OTP page, required actions) and finally for the code 2 token request.
> Until I look into fixing it the auth SPI does a few extra redirects
> right now too.
>
> Code 2 token could simply have a callback URI so that the code 2 token
> request hits the same machine the code was created on.
>
>
>
More information about the keycloak-dev
mailing list