[keycloak-dev] Offline sessions persistence changes

Wed Oct 14 07:20:10 EDT 2015

On 14 October 2015 at 12:22, Marek Posolda <mposolda at redhat.com> wrote:

> I've sent PR https://github.com/keycloak/keycloak/pull/1726 with the
> persistent changes for offline tokens according to what we discussed
> with Stian.
>
> Summary:
>
> - Offline userSessions and clientSessiona are now stored in infinispan,
> but also in DB.
>
> - DB storage is done through UserSessionPersisterProvider SPI. I've
> added implementations based on JPA and Mongo.
>
> - When new offline userSession and clientSessions needs to be stored, it
> is added to both infinispan and persistent storage through
> UserSessionPersisterProvider. Revocation/removing of offline session is
> also propagated to both infinispan and persister.
>
> - All requests to auth-server (ie. refreshing token etc) interacts with
> infinispan storage. Persister is used just during startup to pre-load
> infinispan storage with the sessions from DB. This allows that sessions
> survive server restart.
>
> - New cache "offlineSessions" was added to the Infinispan. This is
> separate to the "sessions" cache as both can have stored sessions with
> same IDs, so this is to not clash with each other.
>
> - I've looked at how to best implement the pre-loading of infinispan
> with the sessions from persister storage. The infinispan builtin
> CacheStore/CacheLoader was my first attempt, however it turned to not
> very good for various reasons (For example CacheStore SPI is
> incompatible between Infinispan 5 and 6, same for the format of data
> etc). In the end I used infinispan DistributionService
>
> http://infinispan.org/docs/5.0.x/user_guide/user_guide.html#_infinispan_distributed_execution_framework
> . The impl is done in a way that parallel startup of cluster nodes is
> not a problem, but an advantage as each cluster node prefills different
> sessions. For example if you have 1000.000 userSessions in DB, the node1
> will preload around 500.000 sessions and node2 another 500.000 sessions.
> If one of the nodes crashes at startup, it's not a problem as well, even
> if it's coordinator node. Similarly when new node joins cluster when
> other nodes are still starting and pre-loading, new node will
> immediatelly start to help with pre-loading. I wonder we can reuse this
> stuff for other long-running tasks as well (for example export/import of
> big number of users at startup etc)
>
> - MemUserSessionProvider was updated too, so EAP 6.4 in local mode works
> fine as well.
>
> - The persister saves offline sessions data into DB partially serialized
> into JSON. Just the columns, which are needed for quick DB search (id,
> realm_id, user_id, client_id) are saved as DB columns. I think this
> should simplify migration and amount of needed work when new field is
> added to UserSession / ClientSession.
>
> - It's possible to have more offline sessions / tokens per user+client
>
>
> Still TODO:
>
> - Add "Offline token idle timeout" . The offline sessions not refreshed
> during specified time will be cleared from both infinispan and storage.
> Not sure about default value, 7 days?
>

I'd say more - 30 days?

>
> - Export/import of offline sessions.
>
> - Minor Juca's reported bug: https://issues.jboss.org/browse/KEYCLOAK-1959
>
> - Reduce some INFO logging I've added
>
> - Maybe more if you have additional feedback?
>
>
> I expect to have it done by Thursday. It seems I will need to postpone
> some LDAP enhancements I planned for this release :/
> But none of them are critical. Still need to doublecheck export/import
> and fix fuse for this release.
>
> Marek
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151014/aa7a9d64/attachment.html 