[keycloak-dev] regarding expired sessions and token life-span

[Alexey Kazakov]

So, if all Keycloak nodes are down the user login sessions will be lost?

1. Start a few KC nodes. Some user logs into KC and the refresh token is
stored in the app.
2. Kill all the KC nodes, so, cache cannot be replicated across the
cluster. Re-start them again.
3. The app tries to refresh the token using the refresh token from step #1.
4. KC fails to refresh the token because there is no active session
associated with that token. So, user has to re-login.

Is this correct?

On 09/29/2017 06:49 AM, Bill Burke wrote:
> TLDR; only offline tokens require database storage.
>
> We have regular tokens and offline tokens.  We do not store regular
> tokens in memory or on disk.  Instead, we have the concept of a login
> session (UserSessionModel) which hold metadata about the login.  These
> sessions are stored in memory and within a distributed cache if in a
> cluster.  Access and Refresh tokens are minted, digitally signed and
> validated and created against metadata within the login session.
>
> Offline tokens are very long lived and thus require their login
> session being persisted in a database.
>
>
>
> On Thu, Sep 28, 2017 at 9:05 AM, Kishan Sagathiya <ksagathi at redhat.com> wrote:
>> Hi,
>> I am trying to figure out how Keycloak deals with expired sessions and how
>> token lifespan affects Keycloak database size and performance.
>> But I dont understand the directory structure and where to find the
>> relevant code.
>> If someone could give some pointers regarding this that would be great
>> Thanks :)
>>
>> -Kishan Sagathiya
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>