[keycloak-dev] Improving SSO logout performance

Marek Posolda mposolda at redhat.com
Thu Feb 11 15:42:12 EST 2016 

What I'm currently thinking is, that all backchannel logout requests can 
be sent asynchronously, but the caller will wait for them until all the 
responses are received.

Like if there are 4 clientSessions here: 
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java#L120 
, the "backchannelLogoutClientSession" will be triggered in 4 separate 
threads, but then will wait until all of them are finished (Thread.join 
or Future.get or something like that). In that case, Keycloak will be 
still aware of all the logout requests success and failures. Currently 
Keycloak is aware, but sending logout requests is sequential (request2 
send after response1 is received) and that's far from optimal solution IMO.

Btv. I've just checked that when some logout request fails, we just log 
it 
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/managers/ResourceAdminManager.java#L256 
. I guess we should also report it to LOGOUT Event to see which requests 
were successful and which failed. That's another issue though, but is 
quite related.

Marek

On 11/02/16 20:41, Marko Strukelj wrote:
> There is one neat side-effect of current implementation in that it is
> immediately apparent when backchannel events don't work due to
> misconfiguration or firewall issues.
>
> If the proposed optimisation is implemented I think we should add some
> logging on the server that will make it very obvious when backchannel
> events fail.
>
> On Thu, Feb 11, 2016 at 5:57 PM, Marek Posolda <mposolda at redhat.com> wrote:
>> Few things, which we can possibly do:
>>
>> - Currently when application initiates logout through
>> servletRequest.logout , it sends request to Keycloak logout endpoint.
>> This endpoint then sends backchannel request to all logged clients with
>> registered admin URL. I think we can improve here and not send request
>> to the original application, which initiated logout.
>>
>> For example: When product-portal application initiates logout through
>> servletRequest.logout, the adapter itself should be already able to do
>> all logout actions on it's side (invalidate httpSession etc) and there
>> is no need to send another request from keycloak to product-portal to
>> logout same httpSession.
>>
>> - Backchannel logout requests send by Keycloak (ResourceAdminManager)
>> could be send in parallel. Currently they are send sequentially, which
>> is not very optimal.
>>
>> WDYT?
>>
>> Marek
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160211/b0c398de/attachment.html

More information about the keycloak-dev mailing list