[keycloak-user] Keycloak caching issue
Pedro Igor Silva
psilva at redhat.com
Tue Jun 18 03:23:59 EDT 2019
I have some changes in upstream that might be related. If you could check
it out and see if the issue still persists, I appreciate it.
Basically, I was able to reproduce a misbehavior when managing resource
permissions and changing the resource type and associated resources.
On Mon, Jun 17, 2019 at 7:15 PM Farzad Panahi <farzad.panahi at gmail.com>
wrote:
> I am not able to reproduce it but it is happening constantly. I think what
> I can confirm is that if I play around with the authorization stuff
> (resource/policy/permission) of a realm, then there is a good chance the
> cache for that realm gets screwed up. I will let you know if I find a way
> to reproduce it.
> For the meantime is there a config fix for this caching issue?
>
> Thanks
>
> On Tue, Jun 11, 2019 at 4:39 AM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> I've tried different changes to settings and I think I got one. Could you
>> confirm that you are changing a resource permission by replacing the type
>> with a specific resource ?
>>
>> On Mon, Jun 10, 2019 at 4:36 PM Farzad Panahi <farzad.panahi at gmail.com>
>> wrote:
>>
>>> Hi Pedro,
>>>
>>> I think I can say that it happens after changing the authorization
>>> settings. For instance I add resources/policies/permissions.
>>>
>>> To get the permissions (in Kotlin):
>>> - I get the access token from KeycloakSecurityContext
>>> accessToken = getKeycloakSecurityContext().tokenString
>>>
>>> - Create AuthzClient and send access token and an instance of
>>> AuthorizaionRequest to it and extract the RPT:
>>> rpt =
>>> authzClient.authorization(accessToken).authorize(AuthorizationRequest()).token
>>>
>>> - Then using the AuthzClient again I call the introspect RPT API to get
>>> the guts of RPT and get the permissions:
>>> permissions =
>>> authzClient.protection().introspectRequestingPartyToken(rpt).permissions
>>>
>>> It is this permissions object that is not consistent between two nodes.
>>>
>>>
>>> Cheers
>>>
>>> Farzad
>>>
>>> On Mon, Jun 10, 2019 at 5:11 AM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Does it happen after changing anything in your client's authorization
>>>> settings (eg.: resources, scopes, permissions, etc) ?
>>>>
>>>> How are you sending authorization requests? By passing a set of one or
>>>> more permission parameters, obtaining all permissions or using a UMA ticket
>>>> ?
>>>>
>>>> Regards.
>>>> Pedro Igor
>>>>
>>>> On Sat, Jun 8, 2019 at 12:50 AM Farzad Panahi <farzad.panahi at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I have two Keycloak nodes (4.8.3) in standalone cluster mode. I have a
>>>>> load-balancer in front of them. I noticed that sometimes I am getting
>>>>> inconsistent RPTs meaning that I send two queries and the two RPTs
>>>>> returned
>>>>> have different granted permissions in them.
>>>>>
>>>>> So I wend behind the load-balancer and queried each node individually.
>>>>> It
>>>>> turns out that one of the nodes is always returning wrong set of
>>>>> permissions in RPT.
>>>>>
>>>>> If I go to the admin console and clear the realm cache, then both nodes
>>>>> would return the same correct permissions right away.
>>>>>
>>>>> This is so intermittent. I am not sure what is causing this. I cannot
>>>>> find
>>>>> any clue in the logs. There is not much out there. I do not know how to
>>>>> reproduce this.
>>>>>
>>>>> Anyone with similar issue? Any suggestions?
>>>>>
>>>>> Cheers
>>>>>
>>>>> Farzad
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
More information about the keycloak-user
mailing list