[keycloak-dev] sticky sessions
Stian Thorgersen
sthorger at redhat.com
Wed Dec 2 09:57:02 EST 2015
We did discuss this quite a lot when we did clustering initially, and we
never found an elegant solution to doing sticky sessions.
On 2 December 2015 at 15:55, Stian Thorgersen <sthorger at redhat.com> wrote:
> Adding callback URI to the token would also make it very Keycloak
> specific. So it would only work for Keycloak adapters.
>
> On 2 December 2015 at 15:50, Marek Posolda <mposolda at redhat.com> wrote:
>
>> Not sure if callback URI will work, because application may be able to
>> see just the loadbalancer node and underlying cluster nodes might be
>> hidden from it.
>>
>> For example if you have callback URI like
>> http://node1:8080/auth/.../token, application may not be able to
>> directly access host "node1" because it's hidden and application can
>> access just http://loadbalancer:8080 .
>>
>> Marek
>>
>> On 02/12/15 15:34, Bill Burke wrote:
>> > IMO, we need to highlight and document that when using a load balancer
>> > in a cluster, sticky sessions should be enabled. We might even want to
>> > consider adding support for sticky sessions for the code2token flow.
>> > The obvious reason is performance. Login can span multiple HTTP
>> > requests. If you have N nodes in the cluster with no clustering you
>> > have the possibility of the same user being retrieved from the database
>> > N times. One time for each authentication request (username/password,
>> > OTP page, required actions) and finally for the code 2 token request.
>> > Until I look into fixing it the auth SPI does a few extra redirects
>> > right now too.
>> >
>> > Code 2 token could simply have a callback URI so that the code 2 token
>> > request hits the same machine the code was created on.
>> >
>> >
>> >
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151202/19eec8cc/attachment.html
More information about the keycloak-dev
mailing list