Reputation: 5533
Keycloak fails to authenticate openid-connect token in cluster mode
I'm running two keycloak docker instances and configured cluster as specified here https://hub.docker.com/r/jboss/keycloak/
I can able see logs related to clustering and two records in JGROUPSPING table. Also it works when authenticate(openid-connect) through Host1 and get access token/refresh token and able to retrieve new access_token using refresh token via Host2, which means I believe clustering setup is working.
But Im getting 401 error when I make API call to Host2 either using the access token I received from Host1 or access_token I got from Host1's refresh token. It works only when I use access_token received from same host.
My understanding is that these access_tokens doesn't related to cookie it should be working seamlessly. But it fails.
Upvotes: 0
Views: 475
Answers (1)
Reputation: 460
I had a problem with the verification of the access token signature.
The access token are signed by Keycloak with a keystore. If you don't have a certificate and key mounted in the docker, this keystore will be different between the nodes in your cluster, and a token generated by one node will not be valid for another node.
So you have to follow the "Setting up TLS(SSL)" part of the documentation of the docker.
Upvotes: 1
Related Questions
- Keycloak CIBA Authentication fails with "Failed to send authentication request"
- keycloak - CODE_TO_TOKEN_ERROR after user is authenticated
- Login to Keycloak using API
- Unable to authenticate with Keycloak using Bearer Token
- Error when authenticating with a Keycloak cluster
- Keycloak - sharing OAUTH2 tokens across clustered keycloak servers
- Cannot login to keycloak admin console when running in domain cluster mode
- Keycloak token exchange fails with "invalid_token" error
- Standalone Keycloak as Identity-Provider causing error during login
- KeyCloak HA on AWS EC2 with docker - cluster is up but login fails