[keycloak-user] Update account - login action tokens - how to make them persistent

Stian Thorgersen sthorger at redhat.com
Wed Mar 2 07:23:44 EST 2016


The tokens themselves are not stored, but can be verified by Keycloak as
long as the user session is active. So your question is how to make user
sessions persisted. We do not support persisting user sessions at the
moment. You have two choices:

1. Add an additional node and configure set owners to 2 for the user
session caches, or change it to a replicated cache. See the clustering
section in the docs for more details.
2. Try to configure Infinispan to persist the sessions. See
https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem for more
details.

On 1 March 2016 at 20:56, Edgar Vonk - Info.nl <Edgar at info.nl> wrote:

> Hi all,
>
> What would we need to do to make Keycloak user sessions persistent in the
> database?
>
> I think the information in:
> http://lists.jboss.org/pipermail/keycloak-user/2015-April/001921.html is
> not relevant anymore with Keycloak 1.9.0? Specifically:
>
> "userSessions": {
>         "provider": "jpa"
>     }
>
>
> Does not seem to work (“Failed to find provider jpa for userSessions”).
> User sessions are now managed using Infinispan by default if I understand
> correctly:
> http://keycloak.github.io/docs/userguide/keycloak-server/html/clustering.html#d4e3292
>  ?
>
> Is there a way to make user sessions persistent?
>
> Our issue is that we send out a lot of activation (‘update password’)
> emails from our (single) Keycloak server to new users and since we have a
> continuous delivery pipeline Keycloak does down and up quite a bit and
> every time it restarts all temporary log in tokens used for these update
> password actions are lost (since they are stored in memory only). And if I
> understand correctly these tokens are actually a sort of user sessions.
>
> cheers
>
> Edgar
>
>
> On 29 Feb 2016, at 17:52, Edgar Vonk - Info.nl <http://info.nl> <
> Edgar at info.nl> wrote:
>
> Hi,
>
> See if I understand this correctly: in the default set up of Keycloak
> sessions and temporary tokens are not persisted in the Keycloak database?
> So consider this scenario:
>
> 1/ login as admin to master realm
> 2/ go to Users - Credentials and send a ‘Update Password’ reset action
> email
> 3/ user receives an email with a link with a unique token to update
> his/her password in Keycloak
> 4/ Keycloak server is restarted for whatever reason
> 5/ the temporary ‘login action token’ no longer exists and the link from
> 3/ no longer works
>
> Is this correct and expected behaviour?
>
> And if so, can somebody maybe point us in the direction to solve this?
> I.e. by making sessions/tokens by persistent I guess.
>
> cheers
>
> Edgar
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/b75aa388/attachment.html 


More information about the keycloak-user mailing list