backchannel logout in clustered application reg -

27 views

Skip to first unread message

Amit Purohit

unread,

Sep 22, 2022, 12:32:09 AM9/22/22

to Keycloak User

Hi,

I have a JavaEE application deployed in Payara application cluster with more than two nodes. Application uses Keycloak servlet adapter to enable integration with Keycloak. I have Keycloak 11.0 deployed in production with domain clustered mode. I have manually registered application cluster nodes under application clustering section of client configuration. I used ${application.session.host} in admin URL to enable keycloak to send back-channel logout call to appropriate cluster node. Load balancer with sticky session is used in front of application cluster to provide single node view and distribute requests. Everything works fine.

Now, I need to upgrade Keycloak to newer version, I am trying to upgrade to 18.0.2 (legacy version). However, newer version complies to OIDC Back-channel logout standard, and have separate config parameter under client configuration for back channel logout, separate then admin URL. The problem is my clustered system doesn't work with this, back-channel logout param doesn't support ${application.session.host} in URL. Consequently, back-channel functionality breaks. Moreover, Servlet Filter adapter implementation from Keycloak doesn't support handling back-channel logout as per my knowledge. I have implemented my own library to handle back-channel call: validating things as per standard and logging out appropriate session. For this sake, library stores sessions in an application scoped bean. In single node deployment of application, everything works but I don't have solution for multiple node application deployment from Keycloak regarding this, because Keycloak wouldn't know which node back-channel logout request would go, considering the fact that application deployment on each node is independent and client request distribution is configured with sticky sessions.

One solution is to use the Payara inbuilt Hazelcast datagrid to store the web sessions, and then any node should be able to handle the back-channel logout call across cluster.