[keycloak-user] offlineSessions data in cache vs db

Josh Cain jcain at redhat.com
Wed Jan 10 13:13:35 EST 2018 

Looking to do some work with offline tokens and I had similar questions.
 Was there ever a response to this?

Josh Cain
Senior Software Applications Engineer, RHCE
Red Hat North America
jcain at redhat.com IRC: jcain

On 11/21/2017 05:12 PM, Tonnis Wildeboer wrote:
> Hello Keycloak Users,
> 
> Ultimately, what we want to do is have three nodes in one Kubernetes 
> namespace that define a cluster. Then be able to add three more nodes to 
> the cluster in a new namespace that shares the same subnet and database, 
> then kill off the original three nodes, effectively migrating the 
> cluster to the new namespace and do all this without anyone being logged 
> out. The namespace distinction is invisible to Keycloak, as far as I can 
> tell.
> 
> What we have tried:
> * Start with 3 standalone-ha mode instances clustered with 
> JGroups/JDBC_PING.
> * Set the number of cache owners for sessions to 6.
> * Start the three new instances in the new Kubernetes namespace, 
> configured exactly the same as the first three - that is, same db, same 
> number of cache owners.
> * Kill the original three
> 
> But it seems this caused offlineSession tokens to be expired immediately.
> 
> I found this in the online documentation 
> (http://www.keycloak.org/docs/latest/server_installation/index.html#server-cache-configuration):
> 
>  > The second type of cache handles managing user sessions, offline 
> tokens, and keeping track of login failures... The data held in these 
> caches is temporary, in memory only, but is possibly replicated across 
> the cluster.
> 
>  > The sessions, authenticationSessions, offlineSessions and 
> loginFailures caches are the only caches that may perform replication. 
> Entries are not replicated to every single node, but instead one or more 
> nodes is chosen as an owner of that data. If a node is not the owner of 
> a specific cache entry it queries the cluster to obtain it. What this 
> means for failover is that if all the nodes that own a piece of data go 
> down, that data is lost forever. By default, Keycloak only specifies one 
> owner for data. So if that one node goes down that data is lost. This 
> usually means that users will be logged out and will have to login again.
> 
> It appears, based on these documentation comments and our experience, 
> that the "source of truth" regarding offlineSessions is the data in the 
> "owner" caches, is NOT the database, as I would have expected. It also 
> seems to be the case that if a node joins the cluster (as defined by 
> JGroups/JDBC_PING), it will NOT be able to populate its offlineSessions 
> cache from the database, but must rely on replication from one of the 
> owner nodes.
> 
> Questions:
> 1. Is the above understanding regarding the db vs cache correct?
> 2. If so, please explain the design/reasoning behind this behavior. 
> Otherwise, please correct my understanding.
> 3. Is there a way to perform this simple migration without losing any 
> sessions?
> 
> Thanks,
> 
> --Tonnis
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180110/9cbedffe/attachment-0001.bin

More information about the keycloak-user mailing list