Keycloak Cluster AWS ECS using JDBC_PING


I am trying to upgrade keycloak from 4.5.0.Final to 15.0.0. We have a cluster setup with standalone-ha using JDBC_PING sharing common datasource and having aws elb infront(same on 4.5.0 as well as 15.0.0).

Cluster is up as per logs also verified through jgroupping table in db. which has entry for both nodes

But unable to access UI with error similar to

2017-11-27 14:50:31,587 WARN  [] (default task-17) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null,, error=expired_code, restart_after_timeout=true

Hostname provider is default in standalone-ha.xml(frontendUrl,adminUrl is not set)
[org.keycloak.url.DefaultHostnameProviderFactory] (ServerService Thread Pool – 68) Frontend: , Admin: , Backend:

Single instance is working fine, issue only with cluster

Question : is it necessary to enable sticky session for cluster setup in versions later than 4.5.0.Final as above version is running without sticky sessions?

If not, how would i make my cluster accessible through UI ?

If sticky sessions are necessary,

  1. i tried to enable on aws elb with load balancer cookie, but applications using keycloak-admin-client library facing issues, getting invalid bearer token

  2. If i enable sticky sessions through AUTH_SESSION_ID application cookie, getting infinite redirect with CODE_TO_TOKEN_ERROR - api whoami is failing with 401

i have not set or stcikySession spi with route as false in config.

Any help is appreciated

You can try setting env var CACHE_OWNERS and CACHE_OWNERS_AUTH_SESSIONS_COUNT to the number of instances you have.

By default, Infinispan will not maintain a copy of the cache at every node. When a node needs to access the cache, infinispan will query the node with the cache store.

You can check communication between nodes.

Can containers inside ECS freely communicate with one another? If not, how to configure access policies? You can investigate that.

Thanks. It started working after setting FRONTEND URL. Also i added the env variable related to cache owners.

1 Like