Keycloak - domain mode - persistent sessions

Configuring the server
1

Hi everyone,

I continue to learn how Keycloak works in domain mode and I have a doubt.

I have a cluster with 2 nodes + a load balancer (nginx) in front of.
Globally I can say “it works” but my sessions are not persistent.

Example:

  • nginx configured in active/passive
  • node 1 : up
  • node 2 : up
  • I connect to keycloak: so my connection is routing to node 1
  • I authenticate with my credentials: it works
  • I stop node 1
  • I reload the page
  • I’m routed to node 2 (node 1 is down): I’m disconnected

Is it a normal behavior or something to configure :slight_smile: ?

Thank you very much

1 Like
2

Nobody knows :confused: ?
I’m sure I’m not the only one who wants to put keycloak in active/active cluster :slight_smile:

3

How should Keycloak know about the cluster without specifying/configuration? Just using a loadbalancer in front of two nodes is not enough.
Read the docs: Server Installation and Configuration Guide, chapter 9 and 10 is worth reading, also chapter 3 for basic understanding the operation modes. Using domain mode is not for running a HA cluster.

4

i do not use domain mode (highly customized standalone-ha), and have DB-based replication. i suspect this is what you want, tuned according to your use case (how you replicate, whether you use DB or some other data store, etc).

as dasniko said, first spend time with the docs…if example config is helpful at all you can see:

5

@dasniko :
I read the documentation before to post this message.
I was pretty sure the domain mode was not adapted to achieve my objective (a HA cluster) but it remained a little doubt: that’s why I wrote this message :slight_smile:

Thank you for your reply: now it’s clear at 100% :slight_smile:

@deadlysyn

Thank you very much to have shared your configuration file : I will study it asap :slight_smile:

6

I just parsed QUICKLY your configuration file.

Did you have an active/active “cluster”? Example:

  • you stop the Keycloak instance #1/2
  • the load is switched on Keycloak instance #2/2 ?
  • are users disonnected or still connected?

Because from what I understood, sessions are stored in the infinispan cache.
And for this part, I can’t understand how you can have a replication sorry :confused:
Or maybe all Keycloak instances are on the same “physical” (can be a VM) server?

7

Luckily, we get rid-off this domain-/standalone-mode config confusion with Keycloak.X! :slightly_smiling_face:

8

@dasniko …and loose all ROI from the ~two years i’ve spent getting automation/config/etc just right for current state (tradeoffs vs all good – but change is ineveitible :slight_smile: just being the curmudgeon since i’ve been on the internet too long at this point)

@kortex yep, multi-node cluster with active failover. you can tune replication such that a single node going down does not loose data.

1 Like
9

@deadlysyn

today’s knowledge is tomorrow’s error

keep learning, evolving and getting better all the time!

10

counter balanced by “change for the sake of change is not necessarily useful” (new will always appear shiny) – although i see the reasons for moving to a lighter/container-optimized framework. i welcome it, but have done this long enough to realize “things always change” (no escaping that) but also “use boring tech” is a way to success/sanity/focusing on business value vs constantly swapping legos.

keep up the good work and don’t mind the curmudgeon in the corner :slight_smile:

2 Likes