[keycloak-user] failover scenario

[Stian Thorgersen]

Why not just do DB replication?

On 18 Oct 2017 10:33 pm, "Sud Ramasamy" <to_sud at yahoo.com> wrote:

> Hi Keycloak devs/users,
>
> We are trying to wrap our heads around how we might deploy Keycloak in a
> PROD with DR failover topology and are running into a concern with the
> client secret being different between the clusters.
>
> We have two separate Keycloak clusters with their own databases for our
> PROD and DR datacenters. As part of initial one-time client setup when we
> register the client in the PROD cluster we also register the same client in
> our DR cluster. The configuration for the client is identical between the
> two clusters except for the client secret which is generated by Keycloak.
>
> When there is a DR event for Keycloak (either failure or scheduled
> maintenance) we have the ability to repoint the URL for the PROD Keycloak
> to the DR Keycloak cluster. We don’t change anything else. Unfortunately
> the PROD clients will not be able to establish SSO with the DR cluster
> because the client secret is different.
>
> We’ve considered instead of using the Keycloak APIs to register the client
> in both clusters (thereby having different client secrets) to register the
> client in one cluster and use database scripts to push the same
> configuration to the other cluster database and thereby keep the secrets
> the same.
>
> I was wondering if others have run into this limitation and how you may
> have solved for it. Also we are on Keycloak 2.5 (for RH-SSO support
> purposes). This might be addressed in the upcoming release of Keycloak with
> multi-datacenter support. But that is currently not an option for us.
>
> Thanks in advance for your insight.
> -sud
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user