[keycloak-user] CODE_TO_TOKEN_ERROR and clustered mode

Schuster Sebastian (INST-CSS/BSV-OS2) Sebastian.Schuster at bosch-si.com
Mon Dec 2 07:14:33 EST 2019


Hi Daniel,

We also have these occasional errors in load test setups.

I would assume in this case the cache sync is slower than your client tries to exchange the authcode for the token.
Since the client is a different entity from the user browser, it might end up on a different Keycloak node than the one that generated the authcode even if you have sticky sessions.

Maybe you can do a little tuning on the Infinispan cache configuration, but I fear I am not of much help there.

Best regards,
Sebastian

Mit freundlichen Grüßen / Best regards

Dr.-Ing. Sebastian Schuster

Open Source Services (INST-CSS/BSV-OS2)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Telefax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic 



-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> Im Auftrag von Daniel Fernández Rodríguez
Gesendet: Montag, 11. November 2019 17:29
An: keycloak-user <keycloak-user at lists.jboss.org>
Betreff: [keycloak-user] CODE_TO_TOKEN_ERROR and clustered mode

Hi guys,

we have keycloak v7 configured to use clustered mode.

For that I configured the service to start using standalone-ha.xml

(we have puppet so all keycloaks should have identical config) and added

'proxy-address-forwarding="true" (I have one nginx as a reverse proxy taking care of the https)


|<http-listener name="default" 
proxy-address-forwarding="true"socket-binding="http" 
redirect-socket="https" enable-http2="true"/>|

|
|

In front of the keycloaks I have a couple of HAProxies configured to use 
tcp mode.

Front time to time, some users complain that they cannot login.

When I check the logs I see something like:


{"loggerTimestamp":"2019-11-11T15:41:43.647+01:00","sequence":6354,"loggerClassName":"org.jboss.logging.Logger","loggerName":"org.keycloak.events","level":"WARN","message":"type=CODE_TO_TOKEN_ERROR, 
realmId=myrealm, clientId=myclient, userId=null, 
ipAddress=111.222.30.198, error=invalid_code, 
grant_type=authorization_code, 
code_id=e24eaa47-adfd-48bc-a3bb-4f1fbe4ba59b, 
client_auth_method=client-secret","threadName":"default 
task-45","threadId":327,"mdc":{},"ndc":"","hostName":"keycloak-59cd3c0b11.mycompany.com","processName":"jboss-modules.jar","processId":12591 
}


Do you know what might be happening?

There is not a lot of documentation on how to properly configure 
clustered mode.

Thanks a lot.

Daniel.



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list