Architecture question regardings multiple app instances

[msander]

I have implemented the OIDC authorization code flow for my application (using Keycloak as IdP).
Now I think about deploying the application in a cluster behind a load-balancer.
In oic.oauth2.Client there are several object variables which carry state, so I think the load-balancer will have to be setup in a way, that each user is always routed to the same app instance.
Is this correct?

[tpazderka]

Probably yes, the other option is to have a central storage for session related data and retrieve them on demand.

[msander]

👍 I think the central storage would be the better option, so we can restart the application server without losing sessions.
What would be a good way to achieve this? Is it enough to override the SessionBackend? Or do we also need to centrally store the "grant", "state2nonce",... dicts?

[gbip]

I think overriding the session backend is enough as the session data is saved when you leave your context.