[keycloak-dev] Application Clustering problems
Stian Thorgersen
sthorger at redhat.com
Mon Jan 25 09:45:24 EST 2016
HTTP session replicate is not enabled by default. You need to enable it for
your application.
On 25 January 2016 at 14:39, Christian Beikov <christian.beikov at gmail.com>
wrote:
> The documentation states, that the default token-store is "session" and as
> I wrote before, I have setup clustering on my Wildfly 10 CR4 like in
> standalone-ha.xml, so the session should already be replicated.
>
> Regards,
> Christian
>
>
> Am 25.01.2016 um 14:20 schrieb Stian Thorgersen:
>
> Your issue doesn't have anything to do with the Keycloak server side user
> sessions, they don't require sticky sessions.
>
> Your issue is down to the http session on the adapter side not being
> replicated by default. For the adapter you've got 3 choices: sticky
> session, replicated session or stateless. Which is best depends on your
> application.
>
>
> On 25 January 2016 at 14:05, Christian Beikov <
> <christian.beikov at gmail.com>christian.beikov at gmail.com> wrote:
>
>> I don't have a problem with sticky sessions and I will definitively
>> configure them, but I am curious. What is the reason for the problems with
>> round robin in this test scenario? Are the infinispan caches not replicated
>> fast enough or is there an implementation limitation in the adapters?
>>
>
>> Regards,
>> Christian
>>
>>
>> Am 25.01.2016 um 08:58 schrieb Stian Thorgersen:
>>
>> By default the adapters will require sticky sessions, please refer to
>> <http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html>
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html
>> for more information
>>
>> On 22 January 2016 at 12:48, Christian Beikov <
>> <christian.beikov at gmail.com>christian.beikov at gmail.com> wrote:
>>
>>> Hello,
>>>
>>> I am running some tests with my application cluster being secured by a
>>> single keycloak server instance and I encountered problems with the
>>> adapter.
>>>
>>> My application cluster contains 2 nodes and is load balanced by nginx.
>>> For testing purposes, I enabled round robin load balancing which is
>>> probably the "cause" for my issues.
>>>
>>> When I access a secured page, I get redirected to keycloak and
>>> everything is fine. When I then login, and keycloak redirects me back to
>>> the application, I get to a different application cluster node because
>>> of round robin. On that node, apparently the initial information of the
>>> client session is not available and I get redirected to keycloak login
>>> page again. Then keycloak redirects me back to the application, this
>>> time to the original node, and says that access is forbidden.
>>>
>>> I suppose the web session caches are not in sync but I just used the
>>> default cache containers as they are defined in standalone-ha.xml of my
>>> Wildlfy 10 CR4. Clustering with jgroups works, as I use other
>>> distributed caches too which work just fine.
>>>
>>> We are using Keycloak 1.8.0.CR2 on a Wildfly 10 CR4
>>>
>>> Regards,
>>> Christian
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160125/80387143/attachment.html
More information about the keycloak-dev
mailing list