Sorry if this matter was discussed before. I looked for something like that, but found nothing.
We have a scenario where we have a Keycloak, an NGINX proxy, four containers having a monolithic legacy Java application and one Redis to share session between four app nodes. All the containers have the same hostname. Our app uses KeycloakOIDCFilter for authentication. We have configured NGINX to rotate (round robin) between the app instances. As the app saves his session in Redis, the session is shared across all the nodes and all works fine.
We decided to change the app authentication to Keycloak (authorization code), but we are experiencing some problems. When we call the app, KC shows your logon screen correctly, but when it sends the POST logon, we receive a 400 error.
In logs, the problem occurs due to contaier rotation. When KC calls auth/realms/mycompany/protocol/openid-connect/token, the app receives an aswer like that:
{“error”:“invalid_grant”,“error_description”:“Code not valid”}
If we shut down three nodes and leave only one, all works fine.
With stick session and four nodes all works fine.
Below my nginx config files:
app-location.conf
location /diarias {
allow all;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-Server $host;
proxy_pass http://diarias/diarias;
}
app-upstream.conf
upstream diarias {
server dairias:8081;
server diarias:8082;
server diarias:8083;
server diarias:8084;
}
The problem probably occurs because hostname and / or port are not the same after the authentication. Like I said, we need to use round robin.
What I’m doing wrong? What’s the best aproach to solve this question? Thanks for any help.
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1744209519a4563268.html
评论列表(0条)