我已经实现了一个测试环境来验证带有两个需要单点登录的Java Web应用程序的集群Keycloak身份验证服务器。集群中有两个Keycloak节点,前面有Apache2 mod_proxy负载均衡器。我遵循了Keycloak文档中的指导原则,一切似乎都运行良好,Keycloak日志报告缓存正确启动并同步:
[服务器:server-one] 11:28:04,298 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport](thread-2)ISPN000094:收到频道ejb的新集群视图:[master:server-one | 1](2)[master:server-one,nucdev2:server-two] [服务器:server-one] 11:28:04,306 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport](thread-2)ISPN000094:收到频道ejb的新集群视图:[master:server-one | 1] (2)[master:server-one,nucdev2:server-two] [服务器:server-one] 11:28:04,318 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport](thread-2)ISPN000094:收到频道ejb的新集群视图:[master:server-one | 1] (2)[master:server-one,nucdev2:server-two] [服务器:server-one] 11:28:04,319 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport](thread-2)ISPN000094:收到频道ejb的新集群视图:[master:server-one | 1] (2)[master:server-one,nucdev2:server-two] [服务器:server-one] 11:28:04,321 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport](thread-2)ISPN000094:收到频道ejb的新集群视图:[master:server-one | 1] (2)[master:server-one,nucdev2:server-two]
问题是,当从webapp进行身份验证时,使用Tomcat的Keycloak Java适配器,我得到403 Forbidden并查看Keycloak日志,我看到此错误消息:
[服务器:server-one] 11:33:30,700 WARN [org.keycloak.events](默认任务-3)type = CODE_TO_TOKEN_ERROR,realmId = test,clientId = customer-portal,userId = null,ipAddress = 192.168 .10.111,error = user_not_found,grant_type = authorization_code,code_id = 889ab790-0c3a-44ea-a1df-247ba501260f,client_auth_method = client-secret
似乎问题与群集模式有关,因为在独立模式下一切正常。 是否有人能够提供集群Keycloak安装示例以及mod_proxy等外部负载均衡器?