[keycloak-dev] Migrating Keycloak to AWS environment

Kalidindi, Sai Soma Kala sai-soma-kala.kalidindi at microfocus.com
Wed Jan 3 10:01:21 EST 2018


Thank you for your response. Just want to give few more details, the keycloak version we are running is 1.9.8, our refresh tokens  expire as soon as we get new set of access token and refresh token(we have a setting in keycloak turned on for this). Right now what we observe is the refresh token we got from old env is working on new env and vice versa.


From: Scott Rossillo [mailto:srossillo at smartling.com]
Sent: Tuesday, January 02, 2018 6:28 PM
To: Kalidindi, Sai Soma Kala <sai-soma-kala.kalidindi at microfocus.com>
Cc: keycloak-dev at lists.jboss.org
Subject: Re: [keycloak-dev] Migrating Keycloak to AWS environment

Hi Sai,

I believe this is the expected behavior because in an HA setup, Keycloak doesn’t persist user sessions to the database, they are stored in the Infinispan distributed cache. Only offline sessions are persisted to the JPA data store.

A core Keycloak developer can correct me if I’m wrong, but this is what I see looking at the latest Keycloak source code and it’s the case on the version we run.

~ Scott

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com<mailto:srossillo at smartling.com>

On Jan 2, 2018, at 10:20 AM, Kalidindi, Sai Soma Kala <sai-soma-kala.kalidindi at microfocus.com<mailto:sai-soma-kala.kalidindi at microfocus.com>> wrote:


Our backup product is using Keycloak for SSO. We are migrating all our users to a new instance of keycloak in AWS environment. One of the requirement is all the existing clients which is an agent on the user box running in background which does backup, should not see any re-authentication or login window from their end after migration . User initially login when they have first installed our product and they never see any login any more(our client is non-intrusive, most users don't ever remember the login ), we just refresh every 15 minutes get new set of tokens and so on... and it works for us.  We have tested locally where we have migrated the present keycloak database to our new keycloak aws instance just by using pg_dump and restore command for database of keycloak and we made sure the realm, redirect urls , client secrets are exactly same. We are assuming if everything is exactly the same refresh tokens should still workand we can avoid the login screen. Is this right a!

In our test what we have found is, we made a DNS swap where the client initially going  the old env  gets routed to our new keycloak aws instance(We did CNAME  change on the old env to route traffic to new environment ). The reason for this  Is to make sure our redirect url does not change and the client could still talk to same old urls it is aware of. Long story short, old key cloak env and new key cloak env has exactly same of everything...What we have seen is that the  client which is initalliay  pointing to the old env, after the migration and after doing the DNS switch the old tokens still work on new environment. Once we remove the switch and when the clients go back to old env the tokens still work. Is this a bug or is this expected?


keycloak-dev mailing list
keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>

More information about the keycloak-dev mailing list