<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 14 October 2015 at 12:22, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I've sent PR <a href="https://github.com/keycloak/keycloak/pull/1726" rel="noreferrer" target="_blank">https://github.com/keycloak/keycloak/pull/1726</a> with the<br>
persistent changes for offline tokens according to what we discussed<br>
with Stian.<br>
<br>
Summary:<br>
<br>
- Offline userSessions and clientSessiona are now stored in infinispan,<br>
but also in DB.<br>
<br>
- DB storage is done through UserSessionPersisterProvider SPI. I've<br>
added implementations based on JPA and Mongo.<br>
<br>
- When new offline userSession and clientSessions needs to be stored, it<br>
is added to both infinispan and persistent storage through<br>
UserSessionPersisterProvider. Revocation/removing of offline session is<br>
also propagated to both infinispan and persister.<br>
<br>
- All requests to auth-server (ie. refreshing token etc) interacts with<br>
infinispan storage. Persister is used just during startup to pre-load<br>
infinispan storage with the sessions from DB. This allows that sessions<br>
survive server restart.<br>
<br>
- New cache "offlineSessions" was added to the Infinispan. This is<br>
separate to the "sessions" cache as both can have stored sessions with<br>
same IDs, so this is to not clash with each other.<br>
<br>
- I've looked at how to best implement the pre-loading of infinispan<br>
with the sessions from persister storage. The infinispan builtin<br>
CacheStore/CacheLoader was my first attempt, however it turned to not<br>
very good for various reasons (For example CacheStore SPI is<br>
incompatible between Infinispan 5 and 6, same for the format of data<br>
etc). In the end I used infinispan DistributionService<br>
<a href="http://infinispan.org/docs/5.0.x/user_guide/user_guide.html#_infinispan_distributed_execution_framework" rel="noreferrer" target="_blank">http://infinispan.org/docs/5.0.x/user_guide/user_guide.html#_infinispan_distributed_execution_framework</a><br>
. The impl is done in a way that parallel startup of cluster nodes is<br>
not a problem, but an advantage as each cluster node prefills different<br>
sessions. For example if you have 1000.000 userSessions in DB, the node1<br>
will preload around 500.000 sessions and node2 another 500.000 sessions.<br>
If one of the nodes crashes at startup, it's not a problem as well, even<br>
if it's coordinator node. Similarly when new node joins cluster when<br>
other nodes are still starting and pre-loading, new node will<br>
immediatelly start to help with pre-loading. I wonder we can reuse this<br>
stuff for other long-running tasks as well (for example export/import of<br>
big number of users at startup etc)<br>
<br>
- MemUserSessionProvider was updated too, so EAP 6.4 in local mode works<br>
fine as well.<br>
<br>
- The persister saves offline sessions data into DB partially serialized<br>
into JSON. Just the columns, which are needed for quick DB search (id,<br>
realm_id, user_id, client_id) are saved as DB columns. I think this<br>
should simplify migration and amount of needed work when new field is<br>
added to UserSession / ClientSession.<br>
<br>
- It's possible to have more offline sessions / tokens per user+client<br>
<br>
<br>
Still TODO:<br>
<br>
- Add "Offline token idle timeout" . The offline sessions not refreshed<br>
during specified time will be cleared from both infinispan and storage.<br>
Not sure about default value, 7 days?<br></blockquote><div><br></div><div>I'd say more - 30 days?</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
- Export/import of offline sessions.<br>
<br>
- Minor Juca's reported bug: <a href="https://issues.jboss.org/browse/KEYCLOAK-1959" rel="noreferrer" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-1959</a><br>
<br>
- Reduce some INFO logging I've added<br>
<br>
- Maybe more if you have additional feedback?<br>
<br>
<br>
I expect to have it done by Thursday. It seems I will need to postpone<br>
some LDAP enhancements I planned for this release :/<br>
But none of them are critical. Still need to doublecheck export/import<br>
and fix fuse for this release.<br>
<br>
Marek<br>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote></div><br></div></div>