Keycloak 20.0.5 Problem statement On local i have set up keyclocak cluster with two nodes i am using following infinispan configuration. But access token generated by one node can't be introspected on other. Initially I was thinking it might be because previously authorization cache was marked as local cache but even after changing to distributed it did not work. Can anyone point me in the right direction? I have checked session are appearing in both the nodes. It mean infinispan is working.

    <infinispan
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:infinispan:config:11.0 http://www.infinispan.org/schemas/infinispan-config-11.0.xsd"
        xmlns="urn:infinispan:config:11.0">

    <cache-container name="keycloak">
        <transport lock-timeout="60000"/>
        <local-cache name="realms">
            <encoding>
                <key media-type="application/x-java-object"/>
                <value media-type="application/x-java-object"/>
            </encoding>
            <memory max-count="10000"/>
        </local-cache>
        <local-cache name="users">
            <encoding>
                <key media-type="application/x-java-object"/>
                <value media-type="application/x-java-object"/>
            </encoding>
            <memory max-count="10000"/>
        </local-cache>
        <distributed-cache name="sessions" owners="2">
            <expiration lifespan="-1"/>
        </distributed-cache>
        <distributed-cache name="authenticationSessions" owners="2">
            <expiration lifespan="-1"/>
        </distributed-cache>
        <distributed-cache name="offlineSessions" owners="2">
            <expiration lifespan="-1"/>
        </distributed-cache>
        <distributed-cache name="clientSessions" owners="2">
            <expiration lifespan="-1"/>
        </distributed-cache>
        <distributed-cache name="offlineClientSessions" owners="2">
            <expiration lifespan="-1"/>
        </distributed-cache>
        <distributed-cache name="loginFailures" owners="2">
            <expiration lifespan="-1"/>
        </distributed-cache>
        <distributed-cache name="authorization" owners="2">
            <encoding>
                <key media-type="application/x-java-object"/>
                <value media-type="application/x-java-object"/>
            </encoding>
            <expiration max-idle="-1" lifespan="-1" interval="300000"/>
            <memory max-count="-1"/>
        </distributed-cache>
        <replicated-cache name="work">
            <expiration lifespan="-1"/>
        </replicated-cache>
        <local-cache name="keys">
            <encoding>
                <key media-type="application/x-java-object"/>
                <value media-type="application/x-java-object"/>
            </encoding>
            <expiration max-idle="3600000"/>
            <memory max-count="1000"/>
        </local-cache>
        <distributed-cache name="actionTokens" owners="2">
            <encoding>

   <key media-type="application/x-java-object"/>
                <value media-type="application/x-java-object"/>
            </encoding>
            <expiration max-idle="-1" lifespan="-1" interval="300000"/>
            <memory max-count="-1"/>
        </distributed-cache>
    </cache-container>
</infinispan>



for node 1 keycloak.conf is



    db=mysql
    

    db-username=root
    db-url-host=localhost
    db-pool-min-size=10
    cache-stack=tcp
    log-level=all
    http-enabled=true
    http-port=8081
    cache=ispn
    cache-config-file=cache-ispn-2.xml
    
    
    https-port=9002
    health-enabled=true
    
    metrics-enabled=true
    
    https-certificate-file=/Users/mymac/Documents/projects/certificate/domain.crt
    
    
    https-certificate-key-file=/Users/mymac/Documents/projects/certificate/domain.key
    
    
    #proxy=reencrypt
    
    # Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
    #spi-sticky-session-encoder-infinispan-should-attach-route=false
    
    # Hostname for the Keycloak server.
    hostname=192.168.84.129



On Node 2 keycloak.conf is



    db=mysql
    
    
    db-username=root
    db-url-host=localhost
    db-pool-min-size=10
    cache-stack=tcp
    cache=ispn
    log-level=all
    http-enabled=true
    cache-config-file=cache-ispn-2.xml
    https-certificate-file=/Users/mymac/Documents/office_projects/certificate/domain.crt
    
    
    https-certificate-key-file=/Users/mymac/Documents/office_projects/certificate/airtel.key
    
    # The proxy address forwarding mode if the server is behind a reverse proxy.
    #proxy=reencrypt
    
    # Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
    #spi-sticky-session-encoder-infinispan-should-attach-route=false
             
    # Hostname for the Keycloak server.
    hostname=192.168.84.129

Access Token Generated :

    {
      "exp": 1681583496,
      "iat": 1681583196,
      "jti": "a1f6a283-32ad-44a6-90ef-949b7613870a",
      "iss": "https://192.168.84.129:9002/realms/TEST",
      "aud": "account",
      "sub": "76b10db5-105e-4127-bad9-0dcacbfee175",
      "typ": "Bearer",
      "azp": "test-cleint",
      "session_state": "c7a09eb8-ab64-4aad-b04f-b43dbb811e99",
      "realm_access": {
        "roles": [
          "offline_access",
          "default-roles-atb",
          "uma_authorization"
        ]
      },
      "resource_access": {
        "account": {
          "roles": [
            "manage-account",
            "manage-account-links",
            "view-profile"
          ]
        }
      },
      "scope": "openid email profile",
      "sid": "c7a09eb8-ab64-4aad-b04f-b43dbb811e99",
      "email_verified": false,
      "test-cleint": "[manage-account, manage-account-links, view-profile]",
      "name": "cluster keycloak",
      "preferred_username": "[email protected]",
      "given_name": "cluster",
      "family_name": "keycloak",
      "email": "[email protected]"
    }