[keycloak-user] Keycloak caching issue
Farzad Panahi
farzad.panahi at gmail.com
Mon Jun 17 18:15:32 EDT 2019
I am not able to reproduce it but it is happening constantly. I think what
I can confirm is that if I play around with the authorization stuff
(resource/policy/permission) of a realm, then there is a good chance the
cache for that realm gets screwed up. I will let you know if I find a way
to reproduce it.
For the meantime is there a config fix for this caching issue?
Thanks
On Tue, Jun 11, 2019 at 4:39 AM Pedro Igor Silva <psilva at redhat.com> wrote:
> I've tried different changes to settings and I think I got one. Could you
> confirm that you are changing a resource permission by replacing the type
> with a specific resource ?
>
> On Mon, Jun 10, 2019 at 4:36 PM Farzad Panahi <farzad.panahi at gmail.com>
> wrote:
>
>> Hi Pedro,
>>
>> I think I can say that it happens after changing the authorization
>> settings. For instance I add resources/policies/permissions.
>>
>> To get the permissions (in Kotlin):
>> - I get the access token from KeycloakSecurityContext
>> accessToken = getKeycloakSecurityContext().tokenString
>>
>> - Create AuthzClient and send access token and an instance of
>> AuthorizaionRequest to it and extract the RPT:
>> rpt =
>> authzClient.authorization(accessToken).authorize(AuthorizationRequest()).token
>>
>> - Then using the AuthzClient again I call the introspect RPT API to get
>> the guts of RPT and get the permissions:
>> permissions =
>> authzClient.protection().introspectRequestingPartyToken(rpt).permissions
>>
>> It is this permissions object that is not consistent between two nodes.
>>
>>
>> Cheers
>>
>> Farzad
>>
>> On Mon, Jun 10, 2019 at 5:11 AM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi,
>>>
>>> Does it happen after changing anything in your client's authorization
>>> settings (eg.: resources, scopes, permissions, etc) ?
>>>
>>> How are you sending authorization requests? By passing a set of one or
>>> more permission parameters, obtaining all permissions or using a UMA ticket
>>> ?
>>>
>>> Regards.
>>> Pedro Igor
>>>
>>> On Sat, Jun 8, 2019 at 12:50 AM Farzad Panahi <farzad.panahi at gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I have two Keycloak nodes (4.8.3) in standalone cluster mode. I have a
>>>> load-balancer in front of them. I noticed that sometimes I am getting
>>>> inconsistent RPTs meaning that I send two queries and the two RPTs
>>>> returned
>>>> have different granted permissions in them.
>>>>
>>>> So I wend behind the load-balancer and queried each node individually.
>>>> It
>>>> turns out that one of the nodes is always returning wrong set of
>>>> permissions in RPT.
>>>>
>>>> If I go to the admin console and clear the realm cache, then both nodes
>>>> would return the same correct permissions right away.
>>>>
>>>> This is so intermittent. I am not sure what is causing this. I cannot
>>>> find
>>>> any clue in the logs. There is not much out there. I do not know how to
>>>> reproduce this.
>>>>
>>>> Anyone with similar issue? Any suggestions?
>>>>
>>>> Cheers
>>>>
>>>> Farzad
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
More information about the keycloak-user
mailing list