[keycloak-dev] Facing Issue with Resource Server in Clustered Environment
Marek Posolda
mposolda at redhat.com
Wed Feb 4 09:35:57 EST 2015
Hi,
I am not sure about the details of your environment. You mentioned that
you're not interested in clustering of keycloak server. So am I
understand correctly that you have just 1 node as keycloak server and 2
nodes with your application deployed? Are you using "distributable" tag
in web.xml of your app on both nodes to ensure session replication? Are
you using loadbalancer?
Marek
On 4.2.2015 13:37, Bappaditya Gorai (bgorai) wrote:
> Thanks for the detailed description. Still, It seems in case of
> Clustered Resource environment (distributable without Sticky sessions)
> we are relying on session replication to happen immediately between
> CODE_TO_TOKEN and Resource Hit(302), which may or may not happen. We
> are now facing the same issue where After CODE_TO_TOKEN client is
> redirected to Login URL again.
> Are we addressing this scenario with 1.1.0 Final ?
> Thanks
> Bappaditya Gorai
> -----Original Message-----
> From: Marek Posolda [mailto:mposolda at redhat.com]
> Sent: Monday, February 02, 2015 2:00 PM
> To: Bappaditya Gorai (bgorai); Stian Thorgersen
> Cc: keycloak-dev at lists.jboss.org
> Subject: Re: [keycloak-dev] Facing Issue with Resource Server in
> Clustered Environment
> Hi,
> it's not stateless by default. Data about keycloak authenticated
> principal are saved in HTTP session by default and can be replicated
> across cluster nodes (replication works as long as your application is
> marked as "distributable" in web.xml).
> However we support stateless adapter, which won't save anything in
> HTTP Session and won't create HTTP session and JSESSIONID cookie at
> all (unless you're calling httpRequest.getSession() in your own
> application). Instead all the data are saved in cookie.
> Some more info in docs:
> http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/applicationClustering.html#stateless-token-store
> Marek
> On 30.1.2015 11:26, Bappaditya Gorai (bgorai) wrote:
> > Thanks for clarifying. So, I think adapter has become stateless in 1.1.0.Final. Is my understanding correct?
> >
> >
> > -----Original Message-----
> > From: Stian Thorgersen [mailto:stian at redhat.com]
> > Sent: Friday, January 30, 2015 1:18 PM
> > To: Bappaditya Gorai (bgorai)
> > Cc:keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> > Subject: Re: [keycloak-dev] Facing Issue with Resource Server in
> > Clustered Environment
> >
> >
> >
> > ----- Original Message -----
> >> From: "Bappaditya Gorai (bgorai)" <bgorai at cisco.com <mailto:bgorai at cisco.com>>
> >> To: "Stian Thorgersen" <stian at redhat.com <mailto:stian at redhat.com>>
> >> Cc:keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> >> Sent: Friday, 30 January, 2015 8:38:49 AM
> >> Subject: RE: [keycloak-dev] Facing Issue with Resource Server in Clustered Environment
> >>
> >> We are not talking about clustering for Keycloak server. The setup is
> >> for Resource Server (Keycloak Adapter) in clustered environment.
> > Same answer
> >
> >> Thanks
> >> Bappaditya Gorai
> >>
> >> -----Original Message-----
> >> From: Stian Thorgersen [mailto:stian at redhat.com]
> >> Sent: Friday, January 30, 2015 12:57 PM
> >> To: Bappaditya Gorai (bgorai)
> >> Cc:keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> >> Subject: Re: [keycloak-dev] Facing Issue with Resource Server in
> >> Clustered Environment
> >>
> >> 1.0.4.Final had very limited support for clustering, please upgrade
> >> to 1.1.0.Final and refer to chapter 24 and 25 in the documentation
> >> (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/clustering.html).
> >>
> >> ----- Original Message -----
> >>> From: "Bappaditya Gorai (bgorai)" <bgorai at cisco.com <mailto:bgorai at cisco.com>>
> >>> To:keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> >>> Sent: Friday, 30 January, 2015 8:22:26 AM
> >>> Subject: [keycloak-dev] Facing Issue with Resource Server in Clustered
> >>> Environment
> >>>
> >>>
> >>>
> >>> Hi Team,
> >>>
> >>> Please find the details on setup and observation below. Please
> >>> provide your suggestion on how to overcome this issue. We are using
> >>> Keycloak 1.0.4.Final (Adapter & Server).
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Setup:
> >>>
> >>> 1. We have brought up Jboss cluster ( Using mod_cluster, httpd )
> >>> with
> >>> 2 nodes in domain mode and enabled session replication between these nodes.
> >>>
> >>> 2. Our Recourse server is deployed in this clustered environment
> >>> with distributable and Sticky session Off.
> >>>
> >>>
> >>>
> >>> Behavior observed :
> >>>
> >>> During the Authorization/Authentication process ,when Initial
> >>> call(Resource
> >>> Access) lands on master and next redirection (post Code To token)
> >>> falls on slave Adapter is treating it as a new session and
> >>> redirecting to login URL again. So we ended up with circular redirection error.
> >>> After further investigation seems like session replication delay is
> >>> causing adapter to behave this way. As the redirection call happens
> >>> very quickly and this results in circular redirection error.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> NOTE: Sticky Session in mod_cluster environment solves the issue but
> >>> it does not provide true load balancing. Therefore we are not
> >>> considering Stick session option.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Thanks
> >>>
> >>> Bappaditya Gorai
> >>>
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>>keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> >>>https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > _______________________________________________
> > keycloak-dev mailing list
> >keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> >https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20150204/f58b0fdd/attachment-0001.html
More information about the keycloak-dev
mailing list