Auth Token sharing across cluster nodes

[Nihal987]

Hi, I have a Keycloak setup where keycloak is running on two different host machines (it is running on 2 different containers for now).
I used the JDBC_PING protocol for discovery and I can see that my sessions are getting replicated. For our architecture we want to mainly use Keycloak features through REST API calls, but when I try to use the auth token from one keycloak instance to make a GET call on the other keycloak instance it doesn't work.

Put another way, if I have a load balancer and the auth token is obtained from one keycloak instance but the REST client is then redirected to the other keycloak instance the request wouldn't work.

How would one achieve this? I've gone thtough the documentation and I assumed that this was the default behaviour in a clustered setup.
"By relying on a distributable cache, authentication sessions are available to any node in the cluster so that users can be redirected to any node without losing their authentication state. "

I have also read the section on using proxies and the load balancer, from what I understood the "sticky session" functionality was created so that the same keycloak instance that authenticated a user/client is always used to serve that user/client. But what if we don't want that?

[danielFesenmeyer]

Have you already read this documentation? https://www.keycloak.org/server/hostname

If you configure a common hostname for both machines, the auth tokens created by those machines should return the same issuer (starting with your hostname), and it should work as expected.

[Nihal987]

Oh I didn't, thank you.
But right now I have keycloak running on the same server in different docker containers. So both the instances have the same hostname but different ports. (Both the docker containers are using network=host)

[danielFesenmeyer]

Ah, I meant that the hostname-url (as described in the docs) should be the same. Which means also the port has to be the same.
The hostname option is just a shortcut for http(s) servers available at port 80/443.

I think the question is: Which incoming URLs do you redirect to Keycloak in your load balancer?
The common base URL of those requests should be the hostname-url for Keycloak.

[Nihal987]

Oh I misunderstood, I see now why my requests weren't working. Thank you

[Nihal987]

Hi @danielFesenmeyer sorry to ask a follow up question, but do you know if a Keycloak cluster requires all the nodes of the cluster to connect to the same DB instance for auth token validation to work?
When I had my keycloak cluster connected to a single Postgres instances I was able to use the auth tokens generated from one keycloak instance on another. However, when I setup a multiwrite DB cluster and connected each keycloak node to a different node in the database cluster, the auth tokens from instance were no longer working on another instance.

[danielFesenmeyer]

@Nihal987 Sorry, I don't have experience with Postgres clusters. Probably it's best to ask in a separate thread.