dev: keycloak single replica (fix cross-pod auth-session cookie_not_found)#7
Merged
Merged
Conversation
…ound) The working ECS keycloak runs desired_count=1. The EKS dev keycloak ran 2 replicas with no sticky sessions, so the auth session created on one pod (GET /auth) wasn't found when the login-actions POST landed on the other pod -> cookie_not_found / invalid_code on the cross-app OIDC login (cookies + secure context were already fixed). Match ECS with 1 replica for dev validation; HA (2 replicas + cookie/sticky affinity) is a prod follow-up. Part of thunderbird/platform-infrastructure#599 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
After fixing the secure-context/cookie issue (xforwarded), the OIDC login still failed with
cookie_not_found/invalid_code. Root cause: the EKS dev keycloak ran 2 replicas with no sticky sessions, so the auth session created on pod A (GET/auth) is not found when the login POST lands on pod B. The working ECS keycloak runs a single pod (desired_count=1), which is why it never hit this. Match ECS withreplicas: 1for the dev validation. HA (2 replicas + cookie/ClientIP session affinity) is a prod follow-up. Part of thunderbird/platform-infrastructure#599.