[keycloak-dev] Offline sessions persistence changes

Marek Posolda mposolda at redhat.com
Wed Oct 14 06:22:09 EDT 2015


I've sent PR https://github.com/keycloak/keycloak/pull/1726 with the 
persistent changes for offline tokens according to what we discussed 
with Stian.

Summary:

- Offline userSessions and clientSessiona are now stored in infinispan, 
but also in DB.

- DB storage is done through UserSessionPersisterProvider SPI. I've 
added implementations based on JPA and Mongo.

- When new offline userSession and clientSessions needs to be stored, it 
is added to both infinispan and persistent storage through 
UserSessionPersisterProvider. Revocation/removing of offline session is 
also propagated to both infinispan and persister.

- All requests to auth-server (ie. refreshing token etc) interacts with 
infinispan storage. Persister is used just during startup to pre-load 
infinispan storage with the sessions from DB. This allows that sessions 
survive server restart.

- New cache "offlineSessions" was added to the Infinispan. This is 
separate to the "sessions" cache as both can have stored sessions with 
same IDs, so this is to not clash with each other.

- I've looked at how to best implement the pre-loading of infinispan 
with the sessions from persister storage. The infinispan builtin 
CacheStore/CacheLoader was my first attempt, however it turned to not 
very good for various reasons (For example CacheStore SPI is 
incompatible between Infinispan 5 and 6, same for the format of data 
etc). In the end I used infinispan DistributionService 
http://infinispan.org/docs/5.0.x/user_guide/user_guide.html#_infinispan_distributed_execution_framework 
. The impl is done in a way that parallel startup of cluster nodes is 
not a problem, but an advantage as each cluster node prefills different 
sessions. For example if you have 1000.000 userSessions in DB, the node1 
will preload around 500.000 sessions and node2 another 500.000 sessions. 
If one of the nodes crashes at startup, it's not a problem as well, even 
if it's coordinator node. Similarly when new node joins cluster when 
other nodes are still starting and pre-loading, new node will 
immediatelly start to help with pre-loading. I wonder we can reuse this 
stuff for other long-running tasks as well (for example export/import of 
big number of users at startup etc)

- MemUserSessionProvider was updated too, so EAP 6.4 in local mode works 
fine as well.

- The persister saves offline sessions data into DB partially serialized 
into JSON. Just the columns, which are needed for quick DB search (id, 
realm_id, user_id, client_id) are saved as DB columns. I think this 
should simplify migration and amount of needed work when new field is 
added to UserSession / ClientSession.

- It's possible to have more offline sessions / tokens per user+client


Still TODO:

- Add "Offline token idle timeout" . The offline sessions not refreshed 
during specified time will be cleared from both infinispan and storage. 
Not sure about default value, 7 days?

- Export/import of offline sessions.

- Minor Juca's reported bug: https://issues.jboss.org/browse/KEYCLOAK-1959

- Reduce some INFO logging I've added

- Maybe more if you have additional feedback?


I expect to have it done by Thursday. It seems I will need to postpone 
some LDAP enhancements I planned for this release :/
But none of them are critical. Still need to doublecheck export/import 
and fix fuse for this release.

Marek



More information about the keycloak-dev mailing list