<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I was thinking about this a bit more. On a DB removal, you actually
don't care if "child" elements don't get evicted from the cache.
For example, if a realm gets removed, you don't care if clients get
removed from cache or not because they will never be looked up
again. Eventually eviction policies will trigger and the old
irrelevant cache items will be gone.<br>
<br>
<div class="moz-cite-prefix">On 2/18/2016 9:03 AM, Bill Burke wrote:<br>
</div>
<blockquote cite="mid:56C5CF38.7040900@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">On 2/18/2016 8:56 AM, Stian
Thorgersen wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAezWgNJtE9FA4RY2yr1D-CrcrO3r06HvF20JhRVLy_a5w@mail.gmail.com"
type="cite">
<p dir="ltr"><br>
On 18 Feb 2016 13:53, "Bill Burke" <<a
moz-do-not-send="true" href="mailto:bburke@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:bburke@redhat.com">bburke@redhat.com</a></a>>
wrote:<br>
><br>
><br>
><br>
> On 2/18/2016 2:07 AM, Stian Thorgersen wrote:<br>
>><br>
>> Having two many joins (fetching everything about a
realm in one query) is probably going to be bad for
performance, especially if there are loads of clients and
roles. There can also be large difference between different
vendors.<br>
>><br>
>> Another thing in the future we should separate
clients out into a separate store. There could be thousands of
clients or even more. So they should be treated in a similar
fashion to users. Does that have impact on how we
improve/refactor/fix caching now?<br>
>><br>
><br>
> As I said before, OIDC logout queries *ALL* clients to
obtain a list of valid redirects to compare against the
redirect-uri passed to the logout endpoint. That's about the
only very frequent, non-adminstrative function that requires
obtaining a list of all clients. We also really need a way to
figure out of a realm invalidation is the result of the realm
being removed or just updated. Otherwise, you'll be evicting
thousands of clients and other realm related items every time
a realm is updated. Actually, maybe we're better off not
evicting clients on a realm removal, and just registering
invalidations for every client in the realm instead.</p>
<p dir="ltr">Why does OIDC logout need to list all clients? It
used to just get the clients that had client sessions for the
specific user session.</p>
<p dir="ltr">><br>
</p>
</blockquote>
OIDC logout endpoint has a redirect_uri parameter which tells
keycloak where to redirect *after* logout happens. This
redirect_uri needs to be checked. we may or may not know who
initiated the logout request based on the "id_token_hint"
parameter, nor is it guaranteed that the redirect-uri is in the
list of clients that are part of the session. <br>
<br>
This is one of the reasons why I wanted to create a generic query
cache. I could cache this list of redirect uri patterns and not
load every client.<br>
<br>
<pre class="moz-signature" cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
</body>
</html>