Is there a way to write to and read custom entries from Infinispan in a custom Keycloak SPI?
So, for an example, if you’d want to track a number of failed login attempts for a given user, could you store a simple count-by-username map within Infinispan?
I’d like to achieve this with Infinispan in order to cache the value across the whole Keycloak cluster, not a single node.
Is this possible to do with Infinispan and Keycloak?
Related
When I'm logged in, I dont see any active session in the database in the tables USER_SESSION and CLIENT_SESSION.
But at the same time, the active session is displayed in the Sessions tab in the Keycloak Admin Panel.
Where is this session stored: in memory?
And if it is stored in memory, then how to make it stored in the database table?
https://www.keycloak.org/docs/latest/server_installation/#cache
In Keycloak we have the concept of authentication sessions. There is a separate Infinispan cache called authenticationSessions.
So correct. DB is not used for the sessions, also "in memory" is not used. Infinispan cache is used.
Of course nobody is stopping you to rewrite whole Keycloak caching to store sessions in the DB. But this will be quite big task. I would say there is a reason why devs have choosed Infinispan and not DB, so I wouldn't change it at all.
It is not clear, why you need to store sessions in the DB. If it is for the persistance, then Infinispan offers configuration for persistent store - e.g. you can use JDBC driver and save data into relational DB.
I have an application in the service fabric and I'm going to upload another one.
I wonder if it's possible to assign different names to each application.
With an application, I access using the address:
http://sf-spartan.eastus.cloudapp.azure.com
You can configure for access to look like this:?
http://application1.sf-spartan.eastus.cloudapp.azure.com
or
http://sf-spartan.eastus.cloudapp.azure.com/application1
Sure, have a look here. Use the ApplicationName argument to define it.
Every application instance you create must in fact have a unique name.
You can reach your application instance through its url by using a reverse proxy. (either the built-in one, or a custom one like Traefik)
Usually, the application and service name are part of the url, e.g.:
http://mycluster.eastus.cloudapp.azure.com:19081/MyApp/MyService
This does require a web based communication listener.
Event more info here.
We are moving right along with building out our custom IdentityServer solution based on IdentityServer3. We will be deploying in a load balanced environment.
According to https://identityserver.github.io/Documentation/docsv2/configuration/serviceFactory.html there are a number of services and stores that need to be implemented.
I have implemented the mandatory user service, client and scope stores.
The document says there are other mandatory items to implement but that there are default InMemory versions.
We were planning on using the default in memory for the other stuff but am concerned that not all will work in a load balanced scenario.
What are the other mandatory services and stores we must implement for things to work properly when load balanced?
With multiple Identity Server installations serving the same requests (e.g. load balanced) you won't be able to use the various in-memory token stores, otherwise authorization codes, refresh tokens and reference tokens issued by one server won't be recognized by the other, nor will user consent be persisted. If you are using IIS, machine key synchronization is also necessary to have tokens work across all instances.
There's an entity framework package available for the token stores. You'll need the operational data.
There's also a very useful guide to going live here.
I note that with the various refactoring of common elements into spring cloud commons, the information that you get from auto wiring DiscoveryClient is rather sparse.
Lets say that I want to get more information for the incoming service data that the service gets when it registers with Eureka. Much of what i want is in the Application object.
I know that I could get this detail form the EurekaClient. How can I get access to the EurekaClient object.
I suspect you mean InstanceInfo objects, since Application basically just holds a list on InstanceInfo's. The ServiceInstance returned from the Spring Cloud DiscoveryClient.getInstances(serviceId) backed by an InstanceInfo. My guess is it would be easiest for you to autowire EurekaClient (or com.netflix.*.DiscoveryClient if your using an older version) and go from there. We have to be sparse as we support more than just eureka (consul, zookeeper).
From my initial reading i understand that HazelCast offers Session Clustering as one of it's feature. But can I use HazelCast to create and manage the complete session lifecycle (creation, update, destroy, auto-expiry) ? Does HazelCast has this capability ?
or should i still have to use something like Spring Session or regular HTTPSession for creating & managing a session's lifecycle ?
Actually hazelcast doesn't offer such a api. But you can try this trick:
sessions (that are distributed) are stored in Hazelcast Map. If you reach hazelcastInstance somehow. (probably in your web application.) Then you can add entry listener to your map. So when there is a session change (like insert,evict or removed, updated etc.) you can be informed.