User session and password replication is not working between keycloak nodes

samarendra.ltim · December 30, 2024, 5:30am

Hi,

I have 2 keycloak server nodes running on ubuntu VM machines and pointing to a single postgresql keycloak database configured.

For replication configuration between both keycloak nodes I am followed the Configuring distributed caches - Keycloak documentation link.

When I am trying changing a user password in keycloak node1 , I am successfully able to login to that user user in node1 keycloak server , but in node2 keycloak server the user in unable to login using the new password. old password in working in node2 keycloak. But once I restart node2 keycloak server I am able to login using the newly changed password. It seems the password replication is not working between both keycloak nodes. I have set owners=“2” for distributed cache.
Also user login sessions are and syncing between the keycloak nodes and session are different. Seems cache is not syncing between keycloak nodes.

As both keycloak nodes pointing to single database it is expected if user password changed in one node it should able to login using new password in other node.

Could you please advise with the configuration for replication sync between both keycloak node to resolve this issue.

Even I disable the cache I also face same issue.

Please provide any guidance/help/support on this topic will be helpful .

Thank you

bpedersen2 · December 30, 2024, 10:57am

You would need to give more information e.g. what is in the log of both instances? and how do you start your instances (e.g. if you are using start-dev, all distributed caches are disabled!)

samarendra.ltim · December 31, 2024, 10:25am

Hi,
I am starting server in production mode.

I am using Below configuration in keycloak.conf file

spi-sticky-session-encoder-infinispan-should-attach-route=false
cache=ispn
cache-config-file=cache-ispn.xml

and below is cache-ispn.xml

<?xml version="1.0" encoding="UTF-8"?>

<TCP external_addr="10.10.1.10" bind_addr="10.10.1.11" bind_port="7600" />
<TCPPING initial_hosts="10.10.1.10[7600],10.10.1.11[7600]"
max_dynamic_hosts="0"
port_range="0"
stack.combine="REPLACE"
stack.position="MPING"/>
</stack>

<cache-container name="keycloak">
        <transport lock-timeout="60000" stack="tcpping"/>
        <!--
        <transport cluster="${infinispan.cluster.name:node1}"
         stack="my-stack"
         node-name="${infinispan.node.name:"node2/>
        -->

    <local-cache name="realms" simple-cache="true">
        <encoding>
            <key media-type="application/x-java-object"/>
            <value media-type="application/x-java-object"/>
        </encoding>
                <!--<memory max-count="10000"/> -->
        </local-cache>

       <local-cache name="users" simple-cache="true">
        <encoding>
            <key media-type="application/x-java-object"/>
            <value media-type="application/x-java-object"/>
        </encoding>
                <!--             <memory max-count="10000"/> -->
        </local-cache>


        <distributed-cache name="sessions" owners="2" mode="SYNC"
              statistics="true">
        <expiration lifespan="-1"/>
    </distributed-cache>
    <distributed-cache name="authenticationSessions" owners="2" mode="SYNC"
              statistics="true">
        <expiration lifespan="-1"/>
    </distributed-cache>

	<distributed-cache name="offlineSessions" owners="2">
        <expiration lifespan="-1"/>
    </distributed-cache>
    <distributed-cache name="clientSessions" owners="2" mode="SYNC"
              statistics="true">
        <expiration lifespan="-1"/>
    </distributed-cache>
    <distributed-cache name="offlineClientSessions" owners="2">
        <expiration lifespan="-1"/>
    </distributed-cache>
    <distributed-cache name="loginFailures" owners="2">
        <expiration lifespan="-1"/>
    </distributed-cache>
    <local-cache name="authorization" simple-cache="true">
        <encoding>
            <key media-type="application/x-java-object"/>
            <value media-type="application/x-java-object"/>
        </encoding>
                <!-- <memory max-count="10000"/> -->
    </local-cache>
    <replicated-cache name="work" mode="SYNC"
              statistics="true">
            <expiration lifespan="-1"/>

    </replicated-cache>
    <local-cache name="keys" simple-cache="true">
        <encoding>
            <key media-type="application/x-java-object"/>
            <value media-type="application/x-java-object"/>
        </encoding>
        <expiration max-idle="3600000"/>
                <!-- <memory max-count="1000"/> -->
    </local-cache>
    <distributed-cache name="actionTokens" owners="2">
        <encoding>
            <key media-type="application/x-java-object"/>
            <value media-type="application/x-java-object"/>
        </encoding>
        <expiration max-idle="-1" lifespan="-1" interval="300000"/>
                 <memory max-count="-1"/>
    </distributed-cache>
</cache-container>

Topic		Replies	Views
Keycloak Cross Datacenter Replication with external Infinispan server Configuring the server	3	2123	April 21, 2021
Keycloak Infinispan cache replication is not working Getting advice	0	599	April 21, 2021
Keycloak 18 distributed caches problem	1	1123	August 25, 2022
How to configure users cache as distributed? Is it good way to make it fast sync between nodes? Configuring the server	0	444	June 12, 2023
Session Sharing Issue between Keycloak Cluster Nodes in a Load-Balanced Environment Configuring the server authentication	0	229	May 16, 2024

User session and password replication is not working between keycloak nodes

Related topics