[keycloak-user] Logout in cluster environments

Pulkit Gupta pulgupta at redhat.com
Wed Jan 25 15:25:47 EST 2017


Hi Hynek,

I have created a JIRA for the issue.
https://issues.jboss.org/browse/KEYCLOAK-4288

I have tried to summarize the complete conservation in the JIRA.

Regards,
Pulkit


On Wed, Jan 25, 2017 at 4:16 PM, Hynek Mlnarik <hmlnarik at redhat.com> wrote:

> There's quite a lot of useful information in this thread. Could you
> please file a JIRA issue with a reference to this thread?
>
> Thank you
>
> --Hynek
>
> On Wed, Jan 25, 2017 at 11:08 AM, Pulkit Gupta <pulgupta at redhat.com>
> wrote:
> > Hi Marek,
> >
> > In continuation to the previous mail I can see that the SAML assertion is
> > getting deleted but the individual sessions within different applications
> > are getting maintained.
> > And thus the user is able to login back to the applications which he was
> > using.
> > But if he is opening a new application for the first time and as there is
> > no existing session and SAML assertion is already deleted he is correctly
> > asked to enter his credentials.
> > I think this will be helpful for you to pin point the issue.
> >
> > Regards,
> > Pulkit
> >
> > On Wed, Jan 25, 2017 at 1:59 PM, Pulkit Gupta <pulgupta at redhat.com>
> wrote:
> >
> >> Thanks Marek,
> >>
> >> I worked more around this and now the sessions are getting replicated
> >> across the cluster for our applications.
> >>
> >> However still I can see that when we logout we are able to login back
> >> without entering the credentials.
> >> This happens most of the times but a few times we are logged out
> correctly.
> >>
> >> I am not sure why the logout is not ending the user session and why we
> are
> >> able to visit the protected resource without re authenticating.
> >> Can you please suggest something where can I look.
> >>
> >> Regards,
> >> Pulkit
> >>
> >>
> >>
> >> On Mon, Jan 23, 2017 at 2:04 PM, Marek Posolda <mposolda at redhat.com>
> >> wrote:
> >>
> >>> I don't see anything in our documentation for Keycloak SAML adapter.
> Not
> >>> sure if we support clustering or not. Maybe someone else knows.
> >>>
> >>> But I think that if you have <distributable /> in your applications and
> >>> it still doesn't work, then feel free to create JIRA.
> >>>
> >>> Marek
> >>>
> >>> On 20/01/17 17:29, Pulkit Gupta wrote:
> >>>
> >>> We can't really move to OIDC as we have already used SAML for a number
> of
> >>> apps.
> >>> Is clustering not supported by SAML client adapters for Jboss?
> >>>
> >>> Regards,
> >>> Pulkit
> >>>
> >>>
> >>> On Fri, Jan 20, 2017 at 1:47 PM, Marek Posolda <mposolda at redhat.com>
> >>> wrote:
> >>>
> >>>> This is supposed to work for Keycloak OIDC clients and some docs is
> here
> >>>> https://keycloak.gitbooks.io/securing-client-applications-gu
> >>>> ide/content/topics/oidc/java/application-clustering.html .
> >>>>
> >>>> I don't know about Keycloak SAML clients. Is it an alternative for you
> >>>> to try OIDC instead of SAML?
> >>>>
> >>>> Marek
> >>>>
> >>>> On 20/01/17 08:19, Pulkit Gupta wrote:
> >>>>
> >>>>> Hi All,
> >>>>>
> >>>>> I am running multiple applications deployed on a Jboss cluster with
> >>>>> infinispan used as a cache and for distributed sessions.
> >>>>> I verified and can see that session replication is working for a
> normal
> >>>>> application where I can see the same session on all the servers in
> the
> >>>>> cluster and hence the application is working fine without session
> >>>>> stickiness.
> >>>>>
> >>>>> However when I am trying to use any Keycloak SAML client based
> >>>>> application
> >>>>> it is only working if the request is going to a particular box in the
> >>>>> cluster. On all the other boxes we are getting errors.
> >>>>> >From this behavior I am concluding that somehow for Keycloak based
> >>>>> applications sessions are not getting replicated.
> >>>>> Both these applications has <distributable /> tag in them so I am not
> >>>>> sure
> >>>>> why it is showing different behaviour.
> >>>>>
> >>>>> I know we can fix this by just enabling session stickiness but we
> want
> >>>>> the
> >>>>> sessions to be replicated as well.
> >>>>> This is because we want to make our set up more resilient. Also in
> case
> >>>>> of
> >>>>> logout when Keycloak is sending a back channel logout request it amy
> >>>>> send
> >>>>> it to any server in the cluster.
> >>>>> If the sessions are not properly replicated then the logout will
> fail as
> >>>>> the session will remain preserved on some other server in the
> cluster.
> >>>>>
> >>>>> Can someone please suggest me something what to try.
> >>>>>
> >>>>>
> >>>>
> >>>
> >>>
> >>> --
> >>> Thanks,
> >>> Pulkit
> >>> AMS
> >>>
> >>>
> >>>
> >>
> >>
> >> --
> >> Thanks,
> >> Pulkit
> >> AMS
> >>
> >
> >
> >
> > --
> > Thanks,
> > Pulkit
> > AMS
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> --Hynek
>



-- 
Thanks,
Pulkit
AMS


More information about the keycloak-user mailing list