问题
I've keycloak 4.0.0 installed on two debian stretch machines. Those are configured in standalone clustered mode. Both share a mysql cluster database instance and a load balancer is doing HA.
I've a code which needs to validate tokens against introspection endpoint put it's not working half of the time. This is actually because load balancer is doing its job and consequently easy to reproduce:
- ask a token on /auth/realms//protocol/openid-connect/token on server 1
- call introspection endpoint /auth/realms//protocol/openid-connect/token/introspect to check the access token provided by the server 1 on server 2
If I call the introspection endpoint on server I've the json response I expect, but on server 2 I just have active: false.
This is quite strange because sessions are replicated on admin interface in "show sessions".
Any ideas ?
Thanks !
Rémi
回答1:
I was facing the same issue.
for introspect api , try setting the host header. For ex: when hitting /protocol/openid-connect/token api pass header "host: foo" Now when hitting the protocol/openid-connect/token/introspect api set header "host: foo"
来源:https://stackoverflow.com/questions/51480664/token-introspection-considering-token-as-not-active