<p dir="ltr"><br>
On 18 Feb 2016 13:53, "Bill Burke" <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>> wrote:<br>
><br>
><br>
><br>
> On 2/18/2016 2:07 AM, Stian Thorgersen wrote:<br>
>><br>
>> Having two many joins (fetching everything about a realm in one query) is probably going to be bad for performance, especially if there are loads of clients and roles. There can also be large difference between different vendors.<br>
>><br>
>> Another thing in the future we should separate clients out into a separate store. There could be thousands of clients or even more. So they should be treated in a similar fashion to users. Does that have impact on how we improve/refactor/fix caching now?<br>
>><br>
><br>
> As I said before, OIDC logout queries *ALL* clients to obtain a list of valid redirects to compare against the redirect-uri passed to the logout endpoint. That's about the only very frequent, non-adminstrative function that requires obtaining a list of all clients. We also really need a way to figure out of a realm invalidation is the result of the realm being removed or just updated. Otherwise, you'll be evicting thousands of clients and other realm related items every time a realm is updated. Actually, maybe we're better off not evicting clients on a realm removal, and just registering invalidations for every client in the realm instead.</p>
<p dir="ltr">Why does OIDC logout need to list all clients? It used to just get the clients that had client sessions for the specific user session.</p>
<p dir="ltr">><br>
><br>
> -- <br>
> Bill Burke<br>
> JBoss, a division of Red Hat<br>
> <a href="http://bill.burkecentral.com">http://bill.burkecentral.com</a><br>
><br>
</p>