Skip to content

dev: keycloak single replica (fix cross-pod auth-session cookie_not_found)#7

Merged
aatchison merged 1 commit into
mainfrom
fix/dev-keycloak-single-replica
Jun 27, 2026
Merged

dev: keycloak single replica (fix cross-pod auth-session cookie_not_found)#7
aatchison merged 1 commit into
mainfrom
fix/dev-keycloak-single-replica

Conversation

@aatchison

Copy link
Copy Markdown
Contributor

After fixing the secure-context/cookie issue (xforwarded), the OIDC login still failed with cookie_not_found/invalid_code. Root cause: the EKS dev keycloak ran 2 replicas with no sticky sessions, so the auth session created on pod A (GET /auth) is not found when the login POST lands on pod B. The working ECS keycloak runs a single pod (desired_count=1), which is why it never hit this. Match ECS with replicas: 1 for the dev validation. HA (2 replicas + cookie/ClientIP session affinity) is a prod follow-up. Part of thunderbird/platform-infrastructure#599.

…ound)

The working ECS keycloak runs desired_count=1. The EKS dev keycloak ran 2
replicas with no sticky sessions, so the auth session created on one pod (GET
/auth) wasn't found when the login-actions POST landed on the other pod ->
cookie_not_found / invalid_code on the cross-app OIDC login (cookies + secure
context were already fixed). Match ECS with 1 replica for dev validation; HA
(2 replicas + cookie/sticky affinity) is a prod follow-up.

Part of thunderbird/platform-infrastructure#599

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@aatchison aatchison merged commit 76833bf into main Jun 27, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant