Keycloak cluster on zone redundant azure app service

Hello,

Our keycloak cluster is deployed in a zone redundant azure app service with domain auth.company-domain.com
Our api client has domain app.company-domain.com

During login workflow, keycloak app service node generates ARRAffinity Id and adds it as a cookie in the response header. This is used by app service load balancer to implement sticky session. This cookie has a domain scope of auth.company-domain.com
Now, when the keycloak completes the authorization and redirects to web app, web browser is discarding this cookie due to the difference in domain scope.

When web app requests for a token (https://auth.company-domain.com/auth/realms/realmId/protocol/openid-connect/token), it is intermittently failing (invalid grant) due to the random routing of request to keycloak nodes. We need to add the ARRAffinity cookie in the token request header so that app service load balancer would know where to forward the request.

Does anyone here has a similar setup to our architecture? How did you manage to solve this issue?

Any suggestion is very much appreciated!

Thank you!

1 Like