As you can see in the picture I am trying to use a service that requires a logged user, so Keycloak redirect me to the login form. After that the user logged correctly and I get a " Your login attempt timed out. Login will start from the beginning. " and in the log we get the following message
This is only happening when I try to access the service through the reverse proxy but using the IP or the or an alias of the machine, and the reverse proxy has registered to be accessible through the hostname.
I mean if the reverse proxy uses the “myhostname” I need to use that hostname else if I use “myhostname.company.com” or the IP of the machine, I get that expire_code log message.
That doesnt happen to the admin since the keycloak.frontendUrl is set to the hostname and then when accessing the admin the redirect_url changes the value automatically from “myhostname.company.com/auth/admin…” to “myhostname/auth/admin…”, so after login in there is a redirect to the admin.
Do I have to force always to replace the redirect_url in the reverse proxy, like the keycloak is doing?
But now i can’t event get the login page anymore.
Can’t show my reverse proxy settings as I have no control myself but the archiecture is like
https://mysso -> WAF -> load balancing (physical Load balancer) -> 4 instances of keycloak on 2 nodes
What I noticed is that without frontendUrl ans if I stop one node, it works fine.
COuld it be possible that the issue is comming from sync of cache of something between the two node ?
Check this configuration https://www.keycloak.org/docs/latest/server_installation/#_replication
If you have 4 instance, check it owners=“2”, number of owners, the recommendation, if you have 4 instances, and owners definition is 2, only two instances have the cache, try to set it to 4, but, it don’t necessary can be the problem, you have to make your loadbalance persist sessions with stick sessions, but you can try this.
@klinux I added the sticky session on the load balancer, it seems to fix the issue.
Still it sounds strange as I was pretty sure, sticky session was only a performance tuning ans not mandatory at all (as it is explained in the doc).
So i’m ondering is there is not an hidden issue that prevent my cluster to work without it
Yes, according to documentation, when a instance do not has the session, it ask to another member, I think is that, I agree with you point, stick session can not be the solution. Because this, I believe that problem is a bad configuration on replication or inside cluster, are you using multicast cluster? TCP_PING or UDP_PING? Check that, look at logs and check if cluster can see all members.
It seems only the two instances on my node are discovered
even if I can see :
[org.jboss.as.domain.controller] (Host Controller Service Threads - 11) WFLYHC0019: Registered remote slave host “slave”, JBoss Keycloak 11.0.0 (WildFly 12.0.3.Final)
I believe that your problem is your cluster, try to solve that, the cluster needs all instances discovered, otherwise it will be running as standalone instance.
Yeah I finally did find what was wrong, I got strong network policies in the company that make this happen.
now I can clearly see all the 4 instances :
[slave:server-one(site-id=10.100.109.17, rack-id=null, machine-id=null), slave:server-two(site-id=10.100.109.17, rack-id=null, machine-id=null), master:server-one(site-id=10.100.109.15, rack-id=null, machine-id=null), master:server-two(site-id=10.100.109.15, rack-id=null, machine-id=null)]