1

Trying to run Keycloak (Keycloak 9 with RedHat SSO 7.4 (rh-sso-7/sso74-openshift-rhel8 image, version 7.4)) in Openshift using JGROUP_PING configuration. Nodes are seemed to be discovered (database table is updated basing on running pods, so they are added or removed), load balancer works fine, logging in/out works as well. But refresh tokens are failing:

type=REFRESH_TOKEN_ERROR, realmId=TEST, clientId=null, userId=null, ipAddress=X.X.X.X, error=invalid_client_credentials, grant_type=refresh_token

Here what I have in my actions.cli:

#create our new TCP stack based on JGROUP_PING protocol
/subsystem=jgroups/stack=tcp:add()
/subsystem=jgroups/stack=tcp/transport=TCP:add(socket-binding="jgroups-tcp")
/subsystem=jgroups/stack=tcp/protocol=JDBC_PING: add(data-source="KeycloakDS", properties=[initialize_sql="CREATE TABLE JGROUPSPING (own_addr varchar(200) NOT NULL,bind_addr varchar(200) NOT NULL,created timestamp NOT NULL,cluster_name varchar(200) NOT NULL,ping_data blob,constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name))",insert_single_sql="INSERT INTO JGROUPSPING (own_addr, bind_addr, created, cluster_name, ping_data) values (?,'${env.HOST_IP}',current_timestamp(6), ?, ?)",delete_single_sql="DELETE FROM JGROUPSPING WHERE own_addr=? AND cluster_name=?",select_all_pingdata_sql="SELECT ping_data FROM JGROUPSPING WHERE cluster_name=?",remove_old_coords_on_view_change="true",remove_all_data_on_view_change="true"])
/subsystem=jgroups/stack=tcp/protocol=MERGE3:add()
/subsystem=jgroups/stack=tcp/protocol=FD_SOCK:add(socket-binding="jgroups-tcp-fd")
#/subsystem=jgroups/stack=tcp/protocol=FD:add()
/subsystem=jgroups/stack=tcp/protocol=FD_ALL:add()
/subsystem=jgroups/stack=tcp/protocol=VERIFY_SUSPECT:add()
/subsystem=jgroups/stack=tcp/protocol=pbcast.NAKACK2:add()
/subsystem=jgroups/stack=tcp/protocol=UNICAST3:add()
/subsystem=jgroups/stack=tcp/protocol=pbcast.STABLE:add()
/subsystem=jgroups/stack=tcp/protocol=pbcast.GMS:add()
/subsystem=jgroups/stack=tcp/protocol=pbcast.GMS/property=max_join_attempts:add(value=5)
/subsystem=jgroups/stack=tcp/protocol=MFC:add()
/subsystem=jgroups/stack=tcp/protocol=FRAG3:add()

and also I have added this: <socket-binding name="jgroups-tcp" interface="public" port="7600"/>

I don't use DNS_PING, because we are not allowed to use multicasting.

user3475366
  • 113
  • 1
  • 11
  • It doesn't look like a problem of JGROUP_PING configuration. `invalid_client_credentials` indicates different problem, but it's not clear how your refresh request looks like. – Jan Garaj Mar 29 '21 at 14:48
  • @JanGaraj everything works when only 1 pod is running. In order to get the error I do the following: I log in, so I get a token, then check which pod has registered my session, then I kill that pod, and then, when the request for a token refresh is sent, then the error is coming up. In all other cases there is no error. – user3475366 Mar 30 '21 at 12:35

0 Answers0