<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Just updated the PR with the removed
      flag from invalidateUsers, which Bill mentioned earlier - should
      be slightly cleaner now.<br>
      <br>
      Marek<br>
      <br>
      <br>
      On 22/03/16 17:50, Stian Thorgersen wrote:<br>
    </div>
    <blockquote
cite="mid:CAJgngAeBbyWapbZAob4BhXFRzokTGoFht8qE_qzc9sbJ87RtZg@mail.gmail.com"
      type="cite">
      <p dir="ltr">Ok, if Bill reviews and is happy to include in 1.9.x
        let's do it.</p>
      <div class="gmail_quote">On 22 Mar 2016 16:29, "Marek Posolda"
        &lt;<a moz-do-not-send="true" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>&gt;
        wrote:<br type="attribution">
        <blockquote class="gmail_quote" style="margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div bgcolor="#FFFFFF" text="#000000">
            <div>Yeah, there might be some risk of regression. On the
              other hand, there are DB queries during each social login
              or every time when you click on "federated identities" in
              account management. <br>
              <br>
              If you think missing caching is acceptable from
              performance perspective etc, I can merge just to master
              and avoid 1.9.x.<br>
              <br>
              Marek<br>
              <br>
              On 22/03/16 17:18, Stian Thorgersen wrote:<br>
            </div>
            <blockquote type="cite">
              <p dir="ltr">Is this really critical for 1.9.x? I'm
                worried about us intruding more complexity so late and
                I'd rather postpone to 2.x.</p>
              <div class="gmail_quote">On 22 Mar 2016 15:36, "Marek
                Posolda" &lt;<a moz-do-not-send="true"
                  href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;

                wrote:<br type="attribution">
                <blockquote class="gmail_quote" style="margin:0 0 0
                  .8ex;border-left:1px #ccc solid;padding-left:1ex">On
                  22/03/16 15:18, Bill Burke wrote:<br>
                  &gt; Some comments on code:<br>
                  &gt;<br>
                  &gt; * Why have a special flag in invalidateUser? 
                  Just invalidate the links<br>
                  &gt; if they exist.  Aggressive eviction isn't a bad
                  thing, is it?<br>
                  The only reason was performance. The flag "false" is
                  used when you're<br>
                  adding new user. But this new user is not yet in
                  cache, so calling<br>
                  "getFederatedIdentities" will always need to send DB
                  query to get all<br>
                  links of user. But when you're adding new user, you
                  know that this user<br>
                  doesn't yet have any social links. So in the end,
                  without the flag there<br>
                  will be one more DB query, which will always return
                  empty set.<br>
                  <br>
                  Currently we don't support store/load of social links
                  from federation<br>
                  provider. But maybe in the future, if we support it
                  and we chain cache<br>
                  on top of federation storage, it could theoretically
                  happen that new<br>
                  user have social links at the moment when he is
                  registered. So I can do<br>
                  what you proposed as it seems to be a bit safer for
                  the future.<br>
                  <br>
                  Marek<br>
                  &gt;<br>
                  &gt; On a side note, cache needs more refactoring,
                  we're reusing the same<br>
                  &gt; pattern over and over.  Wonder if functions can
                  help.<br>
                  &gt;<br>
                  &gt;<br>
                  &gt; On 3/22/2016 5:42 AM, Marek Posolda wrote:<br>
                  &gt;&gt; Until now, we don't have support for caching
                  of identityProvider<br>
                  &gt;&gt; (social) links. So every social login or
                  every going to "federated<br>
                  &gt;&gt; identities" tab in account management needs
                  to send DB queries. I was<br>
                  &gt;&gt; looking at fixing it and I've send PR<br>
                  &gt;&gt; <a moz-do-not-send="true"
                    href="https://github.com/keycloak/keycloak/pull/2404"
                    rel="noreferrer" target="_blank">https://github.com/keycloak/keycloak/pull/2404</a>
                  . It turned to be a bit<br>
                  &gt;&gt; tricky because of:<br>
                  &gt;&gt;<br>
                  &gt;&gt; 1) Caching needs to be done on both
                  directions. For social login, you<br>
                  &gt;&gt; need to lookup user by social link. But on
                  the other hand, you also need<br>
                  &gt;&gt; to look all social/identityProvider links of
                  particular user when you go<br>
                  &gt;&gt; to account management etc.<br>
                  &gt;&gt;<br>
                  &gt;&gt; 2) Because of "store token" option, the link
                  may need to be updated in<br>
                  &gt;&gt; DB quite often (in theory even during each
                  social login).<br>
                  &gt;&gt;<br>
                  &gt;&gt; I was thinking that storing links directly on
                  CachedUser doesn't work<br>
                  &gt;&gt; very well, because during each update of
                  social link (which may be often<br>
                  &gt;&gt; because of "store token") the user would need
                  to be fully invalidated<br>
                  &gt;&gt; from cache. Having separate cache entry for
                  each social link also has<br>
                  &gt;&gt; some downsides (many items in cache, need to
                  have separate entry for<br>
                  &gt;&gt; store the all links of user anyway). So I
                  ended up with having the cache<br>
                  &gt;&gt; entry, which contains list of all links of
                  particular user. It needs to<br>
                  &gt;&gt; be updated when any social link is
                  added,removed or updated. This seemed<br>
                  &gt;&gt; to me like good compromise. WDYT?<br>
                  &gt;&gt;<br>
                  &gt;&gt; There are also entries for lookup user by
                  federated identity, so you<br>
                  &gt;&gt; don't need to query DB during social login.<br>
                  &gt;&gt;<br>
                  &gt;&gt; So ATM there are not DB queries during social
                  login or during go to<br>
                  &gt;&gt; "federated identities" . I hope I handled all
                  corner cases and<br>
                  &gt;&gt; invalidations correctly, but if someone want
                  to take look it will be<br>
                  &gt;&gt; good. I don't want to add new regressions atm
                  :-)<br>
                  &gt;&gt;<br>
                  &gt;&gt; Marek<br>
                  &gt;&gt;<br>
                  &gt;&gt;<br>
                  &gt;&gt;<br>
                  &gt;&gt;<br>
                  &gt;&gt;<br>
                  &gt;&gt;<br>
                  &gt;&gt;
                  _______________________________________________<br>
                  &gt;&gt; keycloak-dev mailing list<br>
                  &gt;&gt; <a moz-do-not-send="true"
                    href="mailto:keycloak-dev@lists.jboss.org"
                    target="_blank">keycloak-dev@lists.jboss.org</a><br>
                  &gt;&gt; <a moz-do-not-send="true"
                    href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
                    rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
                  <br>
                  _______________________________________________<br>
                  keycloak-dev mailing list<br>
                  <a moz-do-not-send="true"
                    href="mailto:keycloak-dev@lists.jboss.org"
                    target="_blank">keycloak-dev@lists.jboss.org</a><br>
                  <a moz-do-not-send="true"
                    href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
                    rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
                </blockquote>
              </div>
            </blockquote>
            <br>
          </div>
        </blockquote>
      </div>
    </blockquote>
    <br>
  </body>
</html>