[keycloak-dev] User/ClientSession for Offline Access Management Issue (lost, never recovered and unused one left on DB everlastingly)

Tue Nov 5 03:51:03 EST 2019

Hello,

This issue might happen for keycloak users who manage large number of Offline Access sessions. IMO, resolving this issue might be beneficial for a lot of keycloak users.
I'll try to tackle with this issue, but I would be happy if any person who are interesting in this issue discusses how to resolve it.

Regards,
Takashi Norimatsu
Hitachi, Ltd

----
From: 田畑義之 / TABATA，YOSHIYUKI <yoshiyuki.tabata.jy at hitachi.com> 
Sent: Wednesday, October 30, 2019 9:22 AM
To: keycloak-dev <keycloak-dev at lists.jboss.org>
Cc: 乗松隆志 / NORIMATSU，TAKASHI <takashi.norimatsu.ws at hitachi.com>
Subject: User/ClientSession for Offline Access Management Issue (lost, never recovered and unused one left on DB everlastingly)

Hello,

# This is Yoshiyuki Tabata writing on behalf of Takashi Norimatsu.

I've used the keycloak (4.8.3.Final) in clustering environment and managed about 500k user sessions for Offline Access. I've encountered the following 2 problems :

[Problems]

(i) Still valid User/Client Session for Offline Access are lost, meaning lost on the infinispan cache (offlineSessions, offlineClientSessions) of every keycloak node in the cluster.

(ii) Such the lost User/Client Session for Offline Access are left on DB everlastingly.

As for (i), it seems to be reasonable for ordinal SSO UserSession/ClientSession. However, it seems not to be reasonable for persisted User/Client Session for Offline Access on DB.

As for (ii), the size of unused resources on DB seems to increase so that it is the problem.

I think such the problems seem to occur in the following clustering environment :

[Environment]

(a) Infinispan setting owners=1 for offlineSessions and offlineClientSessions

At least one keycloak node is down.
The actual case has been reported on https://issues.jboss.org/browse/KEYCLOAK-11829.

(b) # of keycloak nodes is larger than the value of owners for offlineSessions and offlineClientSessions

The keycloak nodes are down more than or equal to the value of owners simultaneously.

(c) # of keycloak nodes is equal to the value of owners for offlineSessions and offlineClientSessions & The size of the caches of offlineSessions and offlineClientSessions are bounded.

The active User/Client Session for Offline Access is evicted from the Infinispan cache.

I think the current workaround of these problems is as follows :

* Shut down all keycloak nodes.
* Reboot one keycloak node.

To do so, rebooted keycloak node recovers all of User/Client Session for Offline Access from DB to infinispan cache.

However, as reported on https://issues.jboss.org/browse/KEYCLOAK-11019, downtime tends to be long in the situation that vast number of User/Client Session for Offline Access exist in DB, and it seems not to be acceptable.

To get around it, what do you think about the following idea?

* If some User/Client Session for Offline Access are searched on the infinispan cache and not found, try to search it on DB.

I know it seems to increase disk access, so needs to consider this point.

Regards,
Yoshiyuki Tabata (On behalf of Takashi Norimatsu)
Hitachi, Ltd.