OpenID in a load-balanced situation

Question

I'm looking at implementing an OpenID provider ('OP') using Java + Tomcat/JBoss.

Now one of the key things about OpenID is that

1. The user communicates with both the OP and the RP and has a session with both sites.
2. The OP and RP communicate with each other to ensure the user hasn't faked anything.

A subject I've not been able to find any documentation on is the question on how to correctly implement this in a load balanced situation.

The generic issue I fear is that the RP connects to the OP and ends up on a different application server than the user.

My questions:

• What is the right way to handle this?
• What is the 'best' OpenID library to use?

Thanks.

Answer 1

The generic issue I fear is that the RP connects to the OP and ends up on a different application server than the user.

Save the conversation state in a shared storage. That is, database or distributed cache. Cache would be faster, and you don't need much of persistence anyway.

Load-balancing with sticky sessions (all consequent request from the same client come to the same server) would reduce the number of cache updates.

(Clustered HTTP sessions that I intended to advice initially wouldn't work as the same conversation is spread between two sessions: user's and application's.)