[keycloak-user] offlineSessions data in cache vs db
Josh Cain
jcain at redhat.com
Wed Jan 10 13:13:35 EST 2018
Looking to do some work with offline tokens and I had similar questions.
Was there ever a response to this?
Josh Cain
Senior Software Applications Engineer, RHCE
Red Hat North America
jcain at redhat.com IRC: jcain
On 11/21/2017 05:12 PM, Tonnis Wildeboer wrote:
> Hello Keycloak Users,
>
> Ultimately, what we want to do is have three nodes in one Kubernetes
> namespace that define a cluster. Then be able to add three more nodes to
> the cluster in a new namespace that shares the same subnet and database,
> then kill off the original three nodes, effectively migrating the
> cluster to the new namespace and do all this without anyone being logged
> out. The namespace distinction is invisible to Keycloak, as far as I can
> tell.
>
> What we have tried:
> * Start with 3 standalone-ha mode instances clustered with
> JGroups/JDBC_PING.
> * Set the number of cache owners for sessions to 6.
> * Start the three new instances in the new Kubernetes namespace,
> configured exactly the same as the first three - that is, same db, same
> number of cache owners.
> * Kill the original three
>
> But it seems this caused offlineSession tokens to be expired immediately.
>
> I found this in the online documentation
> (http://www.keycloak.org/docs/latest/server_installation/index.html#server-cache-configuration):
>
> > The second type of cache handles managing user sessions, offline
> tokens, and keeping track of login failures... The data held in these
> caches is temporary, in memory only, but is possibly replicated across
> the cluster.
>
> > The sessions, authenticationSessions, offlineSessions and
> loginFailures caches are the only caches that may perform replication.
> Entries are not replicated to every single node, but instead one or more
> nodes is chosen as an owner of that data. If a node is not the owner of
> a specific cache entry it queries the cluster to obtain it. What this
> means for failover is that if all the nodes that own a piece of data go
> down, that data is lost forever. By default, Keycloak only specifies one
> owner for data. So if that one node goes down that data is lost. This
> usually means that users will be logged out and will have to login again.
>
> It appears, based on these documentation comments and our experience,
> that the "source of truth" regarding offlineSessions is the data in the
> "owner" caches, is NOT the database, as I would have expected. It also
> seems to be the case that if a node joins the cluster (as defined by
> JGroups/JDBC_PING), it will NOT be able to populate its offlineSessions
> cache from the database, but must rely on replication from one of the
> owner nodes.
>
> Questions:
> 1. Is the above understanding regarding the db vs cache correct?
> 2. If so, please explain the design/reasoning behind this behavior.
> Otherwise, please correct my understanding.
> 3. Is there a way to perform this simple migration without losing any
> sessions?
>
> Thanks,
>
> --Tonnis
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180110/9cbedffe/attachment-0001.bin
More information about the keycloak-user
mailing list