Multi nodes issue in AWS with keycloak

337 views
Skip to first unread message

Sudheer Narra

unread,
Apr 3, 2023, 11:56:44 AM4/3/23
to Keycloak User
Hi Team,

We are facing issue maintaining a cluster of nodes in AWS for Keycloak. 

While adding more than 1 node to Keycloak service we are unable to login to Keycloak Dashboard Console as well as through our eform2290 app Login with Users also unable to do it.

Here are the experiments we have gone through:
1) Enabled Stickiness Session
2) Forwarded reverse proxy 
3) Added ISPN Cache file to enable distributed cache mechanism
4) Enabled Discovery Protocol as TCP Ping or JDBC PING from node to node.
5) Changed Proxy Through to Edge.

These are the above changes we made and tested all the ways but no luck, did not get sufficient information on Keycloak Cluster with multiple nodes in Official Document too.

Please let us know the right approach to solve this problem.

Thanks
Sudheer

Björn Eickvonder

unread,
Apr 4, 2023, 12:03:36 PM4/4/23
to Keycloak User
What Keycloak version? Are you running Keycloak on ECS or EKS or plain ec2 instances.
We run Keycloak 15 on EKS and Keycloak 18 on ECS both in edge mode with no issues in a cluster.

Björn

Björn Eickvonder

unread,
Apr 5, 2023, 7:34:55 AM4/5/23
to Keycloak User
Where does it fail?
Do you have any errors on the servers? Or do you have any errors on the client, e.g. 4xx or 5xx from any request? Hitting F12 in the browser usually gives you the clue what actually fails

Sodomgula Muni Sanath

unread,
Apr 5, 2023, 10:17:02 AM4/5/23
to Keycloak User
Hi Björn,

While login to Keycloak Web Console at first time, can able to login and immediately redirecting to White Blank Page. In Browser Network tab shows below attached screenshot error.

Screenshot 2023-04-05 at 7.30.39 PM.png


After refresh the page getting this Token 400 error, In Browser Network tab shows below attached screenshot error.

Screenshot 2023-04-05 at 7.31.10 PM.png

When i check the Logs in container, this is the error shows:

Screenshot 2023-04-05 at 7.36.43 PM.png

Björn Eickvonder

unread,
Apr 5, 2023, 12:49:33 PM4/5/23
to Keycloak User
Have you googled for

keycloak whoami 401

There are some results that may help you, they mostly point to some misconfiguration in AWS.

Björn Eickvonder

unread,
Apr 5, 2023, 5:50:36 PM4/5/23
to Keycloak User
Let me share you how we configured it

- We use DNS Discovery, for this you need to set 
-- cache-stack=kubernetes in your keycloak conf (don't be irritated by the naming kubernetes, it works with ECS as well)
-- -Djgroups.dns.query=<headless-service-FQDN>

- You need egress/ingress rules that allow communication on port 7800

- KC_PROXY=edge (if set as an environment variable)

And upon startup you should see some log messages on at least one of the nodes that it discovered the other one, is this case?

Björn

Sodomgula Muni Sanath

unread,
Apr 6, 2023, 8:49:41 AM4/6/23
to Keycloak User
Hi Björn,

We have added above changes to fargate and opened port 7800, here is the environments for the same.

Screenshot 2023-04-06 at 6.09.29 PM.png

After that we are getting connection timeout socket error,
Screenshot 2023-04-06 at 6.07.51 PM.png
Reply all
Reply to author
Forward
0 new messages