[keycloak-user] failover scenario

[Sud Ramasamy]

Hi Keycloak devs/users,

We are trying to wrap our heads around how we might deploy Keycloak in a PROD with DR failover topology and are running into a concern with the client secret being different between the clusters.

We have two separate Keycloak clusters with their own databases for our PROD and DR datacenters. As part of initial one-time client setup when we register the client in the PROD cluster we also register the same client in our DR cluster. The configuration for the client is identical between the two clusters except for the client secret which is generated by Keycloak.

When there is a DR event for Keycloak (either failure or scheduled maintenance) we have the ability to repoint the URL for the PROD Keycloak to the DR Keycloak cluster. We don’t change anything else. Unfortunately the PROD clients will not be able to establish SSO with the DR cluster because the client secret is different.

We’ve considered instead of using the Keycloak APIs to register the client in both clusters (thereby having different client secrets) to register the client in one cluster and use database scripts to push the same configuration to the other cluster database and thereby keep the secrets the same.

I was wondering if others have run into this limitation and how you may have solved for it. Also we are on Keycloak 2.5 (for RH-SSO support purposes). This might be addressed in the upcoming release of Keycloak with multi-datacenter support. But that is currently not an option for us.

Thanks in advance for your insight.
-sud