Gracefully handling failover between independent providers

[nabertrand]

I'm attempting to set up two independent Keycloak instances with identical configurations that can act as a failover pair without going through the work of configuring shared sessions between the instances. During my initial testing, failing over causes the client to receive the message Error: OpenID Connect Provider error: Error in handling response type. Looking at the logs, it appears that mod_auth_openidc attempts to reach out to the now-primary instance with a code that is only valid on the previous instance and gets a 400 / invalid_grant response as shown below. Is there a way to configure mod_auth_openidc to go through authentication again on receiving a 400 error? Or perhaps there is some other configuration change I need to make?

Thanks,

Nick

[Thu Jul 25 22:58:19.973410 2024] [auth_openidc:debug] [pid 3308952:tid 139824128321280] src/util.c(746): [client 10.21.72.104:43924] oidc_util_http_add_form_url_encoded_param: processing: grant_type=authorization_code
[Thu Jul 25 22:58:19.973428 2024] [auth_openidc:debug] [pid 3308952:tid 139824128321280] src/util.c(746): [client 10.21.72.104:43924] oidc_util_http_add_form_url_encoded_param: processing: code=1a811215-e7a7-45c6-8d30-49e5fc6d1bfc.92f6cc82-a685-432b-ba30-1901a2c106ab.test-app
[Thu Jul 25 22:58:19.973443 2024] [auth_openidc:debug] [pid 3308952:tid 139824128321280] src/util.c(746): [client 10.21.72.104:43924] oidc_util_http_add_form_url_encoded_param: processing: redirect_uri=https://<redacted>
[Thu Jul 25 22:58:19.973462 2024] [auth_openidc:debug] [pid 3308952:tid 139824128321280] src/util.c(792): [client 10.21.72.104:43924] oidc_util_http_form_encoded_data: data=grant_type=authorization_code&code=1a811215-e7a7-45c6-8d30-49e5fc6d1bfc.92f6cc82-a685-432b-ba30-1901a2c106ab.test-app&redirect_uri=<redacted>
[Thu Jul 25 22:58:19.973470 2024] [auth_openidc:debug] [pid 3308952:tid 139824128321280] src/util.c(818): [client 10.21.72.104:43924] oidc_util_http_call: url=<redacted>/protocol/openid-connect/token, data=grant_type=authorization_code&code=1a811215-e7a7-45c6-8d30-49e5fc6d1bfc.92f6cc82-a685-432b-ba30-1901a2c106ab.test-app&redirect_uri=<redacted>, content_type=application/x-www-form-urlencoded, basic_auth=****, bearer_token=(null), ssl_validate_server=1, timeout=60, outgoing_proxy=(null), pass_cookies=0, ssl_cert=(null), ssl_key=(null), ssl_key_pwd=(null)
[Thu Jul 25 22:58:20.024533 2024] [auth_openidc:debug] [pid 3308952:tid 139824128321280] src/util.c(1011): [client 10.21.72.104:43924] oidc_util_http_call: HTTP response code=400
[Thu Jul 25 22:58:20.024558 2024] [auth_openidc:debug] [pid 3308952:tid 139824128321280] src/util.c(1016): [client 10.21.72.104:43924] oidc_util_http_call: response={"error":"invalid_grant","error_description":"Code not valid"}
[Thu Jul 25 22:58:20.025083 2024] [auth_openidc:error] [pid 3308952:tid 139824128321280] [client 10.21.72.104:43924] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error" entry with value: ""invalid_grant""
[Thu Jul 25 22:58:20.025103 2024] [auth_openidc:error] [pid 3308952:tid 139824128321280] [client 10.21.72.104:43924] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error_description" entry with value: ""Code not valid""
[Thu Jul 25 22:58:20.025108 2024] [auth_openidc:error] [pid 3308952:tid 139824128321280] [client 10.21.72.104:43924] oidc_proto_resolve_code_and_validate_response: failed to resolve the code

[zandbelt]

no it is not possible to restart authentication on a code exchange error: in most cases it would lead to infinite loops; you'll need to cater for proper failover in Keycloak itself, possibly by issuing a stateless code parameter value (not sure if that is possible at all)