Keycloak - sharing OAUTH2 tokens across clustered keycloak servers

Question

I am running two keycloak servers in standalone clustered mode. Both have the same configuration (the docker images are identical). These are configured to share an ldap and db server. I have confirmed that both instances of keycloak have access to the database, and users added with on keycloak server are seen on the other keycloak server. Using "username" "password" allows me to log into the server, regardless of which keycloak instance I go through. However, OAUTH2 tokens do not appear to be shared. Microservices behind one of the keycloak instances are inaccessible of I have an OAUTH2 token issued from the other keycloak instance.

My assumption is that I have configuration wrong, but I haven't found anything that looks incorrect yet.

How do I share OAUTH2 tokens across keycloak servers? These servers are on the same docker overlay network.

Answer 1

Keycloak doesn't persist tokens in db, but keeps them in the Infinispan cache. By default, these caches are configured as distributed. This means that only one node is considered as the owner of a cached item and all other nodes would ask the owner for the value of that specific cached item.

Are you sure that the Infinispan subsystem of your WildFly servers can talk to each other? (e.g. a firewall may prevent this to happen or a network/WildFly misconfiguration)

In a similar scenario, we had a cluster of two nodes, so when node1 was down, all the tokens cached on that node would be gone. So we changed the configuration and made them replicated and they all started to work as expected. We ensured first that the Infinispan on those nodes were able to communicate with each other.