[keycloak-user] [EXTERNAL] Re: Cross-Site Replication

Wed Jan 4 00:47:31 EST 2017

Yes, db replication is still required

On 3 January 2017 at 18:21, Jacobs, Michael <Michael.Jacobs at nuance.com>
wrote:

> Thanks for posting this, I will model it out.  I assume this solution
> still requires DB replication to keep the underlying persisted data in
> sync.  All that is replicating is the invalidation messages to keep the
> in-memory caches in sync, correct?
>
> MJ
>
> -----Original Message-----
> From: Marek Posolda [mailto:mposolda at redhat.com]
> Sent: Monday, December 19, 2016 1:23 AM
> To: stian at redhat.com; Jacobs, Michael <Michael.Jacobs at nuance.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: [EXTERNAL] Re: [keycloak-user] Cross-Site Replication
>
> On 19/12/16 09:49, Stian Thorgersen wrote:
> > We don't currently support cross-DC replication very well and it is
> > something we are looking at improving in 2017. We're tackling this in
> > stages:
> >
> > 1. Dealing with invalidation caches cross-DC - this is already
> > resolved and is done by using external Infinispan/JDG to replicate
> > invalidation messages cross-DC. I don't think we have documentation on
> > how to set this up yet though.
> I've added some notes for the basic setup https://urldefense.proofpoint.
> com/v2/url?u=https-3A__github.com_keycloak_keycloak_blob_
> master_misc_CrossDataCenter.md&d=DgIC-g&c=djjh8EKwHtOepW4Bjau0lKhLlu-
> DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m=
> 50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=ZCC1joWEUE4PfZt_-SAhN_
> BCytxjKNDdnlCrw-RNT-I&e=
> . This is the setup for 1 external JDG server and with 2 Keycloak nodes,
> which are not in the cluster, but they both talk to the JDG server. Feel
> free to check it, just be aware of all the limitations related to sessions
> (points 2,3,4) .
>
> Marek
> > 2. Support with sessions affinity to a specific DC - as long as all
> > requests for a session is made to the same cluster everything should work
> > already. This is simpler to setup for SAML than for OIDC due to OIDC
> > backchannel requests from both browser and applications for the same
> session
> > 3. Support session replication - this requires a fair bit of rework on
> how
> > we do sessions, including during authentication flows, as currently there
> > is to much updates to a session to fully replicate these cross DCs
> > 4. Support without session affinity - allow requests to go to any DC for
> > any session
> >
> > On 16 December 2016 at 20:23, Jacobs, Michael <Michael.Jacobs at nuance.com
> >
> > wrote:
> >
> >> Greetings,
> >>
> >> I am looking at setting up Cross-site replication for multiple Keycloak
> >> clusters, possibly using DB replication.  I found this question asked
> back
> >> in May 2016, with no reply.
> >>
> >> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.
> jboss.org_pipermail_keycloak-2Duser_2016-2DMay_006142.html&d=DgIC-g&c=
> djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_
> ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=
> srtVXCGiBzVH8qe714EJTC85zvlVAUUUzueaTpZYwAs&e=
> >>
> >> Does anyone know the best way to set this up?
> >>
> >>
> >> MJ
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.
> jboss.org_mailman_listinfo_keycloak-2Duser&d=DgIC-g&c=
> djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_
> ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=
> pm1gthZUvEyOoVFr9xS18pOZVqCSTIStLXU9Dm46Eac&e=
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.
> jboss.org_mailman_listinfo_keycloak-2Duser&d=DgIC-g&c=
> djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_
> ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=
> pm1gthZUvEyOoVFr9xS18pOZVqCSTIStLXU9Dm46Eac&e=
>
>
>