[keycloak-user] Keycloak caching issue

Farzad Panahi farzad.panahi at gmail.com
Mon Jun 10 15:35:55 EDT 2019


Hi Pedro,

I think I can say that it happens after changing the authorization
settings. For instance I add resources/policies/permissions.

To get the permissions (in Kotlin):
- I get the access token from KeycloakSecurityContext
accessToken = getKeycloakSecurityContext().tokenString

- Create AuthzClient and send access token and an instance of
AuthorizaionRequest to it and extract the RPT:
rpt =
authzClient.authorization(accessToken).authorize(AuthorizationRequest()).token

- Then using the AuthzClient again I call the introspect RPT API to get the
guts of RPT and get the permissions:
permissions =
authzClient.protection().introspectRequestingPartyToken(rpt).permissions

It is this permissions object that is not consistent between two nodes.


Cheers

Farzad

On Mon, Jun 10, 2019 at 5:11 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> Does it happen after changing anything in your client's authorization
> settings (eg.: resources, scopes, permissions, etc) ?
>
> How are you sending authorization requests? By passing a set of one or
> more permission parameters, obtaining all permissions or using a UMA ticket
> ?
>
> Regards.
> Pedro Igor
>
> On Sat, Jun 8, 2019 at 12:50 AM Farzad Panahi <farzad.panahi at gmail.com>
> wrote:
>
>> Hi,
>>
>> I have two  Keycloak nodes (4.8.3) in standalone cluster mode. I have a
>> load-balancer in front of them. I noticed that sometimes I am getting
>> inconsistent RPTs meaning that I send two queries and the two RPTs
>> returned
>> have different granted permissions in them.
>>
>> So I wend behind the load-balancer and queried each node individually. It
>> turns out that one of the nodes is always returning wrong set of
>> permissions in RPT.
>>
>> If I go to the admin console and clear the realm cache, then both nodes
>> would return the same correct permissions right away.
>>
>> This is so intermittent. I am not sure what is causing this. I cannot find
>> any clue in the logs. There is not much out there. I do not know how to
>> reproduce this.
>>
>> Anyone with similar issue? Any suggestions?
>>
>> Cheers
>>
>> Farzad
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>


More information about the keycloak-user mailing list