[keycloak-user] Keycloak caching issue

Pedro Igor Silva psilva at redhat.com
Tue Jun 11 07:39:02 EDT 2019


I've tried different changes to settings and I think I got one. Could you
confirm that you are changing a resource permission by replacing the type
with a specific resource ?

On Mon, Jun 10, 2019 at 4:36 PM Farzad Panahi <farzad.panahi at gmail.com>
wrote:

> Hi Pedro,
>
> I think I can say that it happens after changing the authorization
> settings. For instance I add resources/policies/permissions.
>
> To get the permissions (in Kotlin):
> - I get the access token from KeycloakSecurityContext
> accessToken = getKeycloakSecurityContext().tokenString
>
> - Create AuthzClient and send access token and an instance of
> AuthorizaionRequest to it and extract the RPT:
> rpt =
> authzClient.authorization(accessToken).authorize(AuthorizationRequest()).token
>
> - Then using the AuthzClient again I call the introspect RPT API to get
> the guts of RPT and get the permissions:
> permissions =
> authzClient.protection().introspectRequestingPartyToken(rpt).permissions
>
> It is this permissions object that is not consistent between two nodes.
>
>
> Cheers
>
> Farzad
>
> On Mon, Jun 10, 2019 at 5:11 AM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hi,
>>
>> Does it happen after changing anything in your client's authorization
>> settings (eg.: resources, scopes, permissions, etc) ?
>>
>> How are you sending authorization requests? By passing a set of one or
>> more permission parameters, obtaining all permissions or using a UMA ticket
>> ?
>>
>> Regards.
>> Pedro Igor
>>
>> On Sat, Jun 8, 2019 at 12:50 AM Farzad Panahi <farzad.panahi at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I have two  Keycloak nodes (4.8.3) in standalone cluster mode. I have a
>>> load-balancer in front of them. I noticed that sometimes I am getting
>>> inconsistent RPTs meaning that I send two queries and the two RPTs
>>> returned
>>> have different granted permissions in them.
>>>
>>> So I wend behind the load-balancer and queried each node individually. It
>>> turns out that one of the nodes is always returning wrong set of
>>> permissions in RPT.
>>>
>>> If I go to the admin console and clear the realm cache, then both nodes
>>> would return the same correct permissions right away.
>>>
>>> This is so intermittent. I am not sure what is causing this. I cannot
>>> find
>>> any clue in the logs. There is not much out there. I do not know how to
>>> reproduce this.
>>>
>>> Anyone with similar issue? Any suggestions?
>>>
>>> Cheers
>>>
>>> Farzad
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>


More information about the keycloak-user mailing list