Problem description:

When a user logs in (via the cwa-verification-iam), the cwa-verification-portal creates a session which is stored:

• in the cwa-verification-portal's session store (this is handles by Spring Boot)
• and in the user's browser as a cookie (SESSION).

For the further HTTP requests (e.g., generate TeleTan), the cwa-verification-portal verifies the created session, which is sent along with the requests. The cwa-verification-portal does not redirects the user to the cwa-verification-iam for authentication and authorization, unless the session has expired or is invalid.

The above described scenario works well, when only one instance (Pod) of the cwa-verification-portal is active in the OpenShift environment. As soon as more Pods become active, a session created by one Pod can end up in a different Pod. This causes the cwa-verification-portal redirecting the user to the cwa-verification-iam for authentication, since the session is invalid for that Pod. This can trigger an endless loop. Moreover, when loading resources such as images or CSS stylesheets, the redirection to the cwa-verification-iam violates Content-Security-Policy default-src 'self', causing the browser not loading the requested resources.

Possible Solution:

There are several approaches (e.g., sticky sessions, stateless application, session container) that can be implemented. The following links provides some insights to solve this problem:

https://www.haproxy.com/blog/load-balancing-affinity-persistence-sticky-sessions-what-you-need-to-know/

https://developers.redhat.com/blog/2018/05/04/externalized-http-session-in-openshift-3-9/

https://golb.hplar.ch/2019/05/stateless.html

Multiple Pods of Keycloak are supported since a few versions.