[keycloak-user] offlineSessions data in cache vs db
Marek Posolda
mposolda at redhat.com
Wed Jan 10 16:13:53 EST 2018
Yes, I've replied. It seems this thread was send to both "keycloak-dev"
and "keycloak-user" and I've replied to "keycloak-dev" . Answer is here:
http://lists.jboss.org/pipermail/keycloak-dev/2017-December/010249.html .
Marek
On 10/01/18 19:13, Josh Cain wrote:
> Looking to do some work with offline tokens and I had similar questions.
> Was there ever a response to this?
>
> Josh Cain
> Senior Software Applications Engineer, RHCE
> Red Hat North America
> jcain at redhat.com IRC: jcain
>
> On 11/21/2017 05:12 PM, Tonnis Wildeboer wrote:
>> Hello Keycloak Users,
>>
>> Ultimately, what we want to do is have three nodes in one Kubernetes
>> namespace that define a cluster. Then be able to add three more nodes to
>> the cluster in a new namespace that shares the same subnet and database,
>> then kill off the original three nodes, effectively migrating the
>> cluster to the new namespace and do all this without anyone being logged
>> out. The namespace distinction is invisible to Keycloak, as far as I can
>> tell.
>>
>> What we have tried:
>> * Start with 3 standalone-ha mode instances clustered with
>> JGroups/JDBC_PING.
>> * Set the number of cache owners for sessions to 6.
>> * Start the three new instances in the new Kubernetes namespace,
>> configured exactly the same as the first three - that is, same db, same
>> number of cache owners.
>> * Kill the original three
>>
>> But it seems this caused offlineSession tokens to be expired immediately.
>>
>> I found this in the online documentation
>> (http://www.keycloak.org/docs/latest/server_installation/index.html#server-cache-configuration):
>>
>> > The second type of cache handles managing user sessions, offline
>> tokens, and keeping track of login failures... The data held in these
>> caches is temporary, in memory only, but is possibly replicated across
>> the cluster.
>>
>> > The sessions, authenticationSessions, offlineSessions and
>> loginFailures caches are the only caches that may perform replication.
>> Entries are not replicated to every single node, but instead one or more
>> nodes is chosen as an owner of that data. If a node is not the owner of
>> a specific cache entry it queries the cluster to obtain it. What this
>> means for failover is that if all the nodes that own a piece of data go
>> down, that data is lost forever. By default, Keycloak only specifies one
>> owner for data. So if that one node goes down that data is lost. This
>> usually means that users will be logged out and will have to login again.
>>
>> It appears, based on these documentation comments and our experience,
>> that the "source of truth" regarding offlineSessions is the data in the
>> "owner" caches, is NOT the database, as I would have expected. It also
>> seems to be the case that if a node joins the cluster (as defined by
>> JGroups/JDBC_PING), it will NOT be able to populate its offlineSessions
>> cache from the database, but must rely on replication from one of the
>> owner nodes.
>>
>> Questions:
>> 1. Is the above understanding regarding the db vs cache correct?
>> 2. If so, please explain the design/reasoning behind this behavior.
>> Otherwise, please correct my understanding.
>> 3. Is there a way to perform this simple migration without losing any
>> sessions?
>>
>> Thanks,
>>
>> --Tonnis
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list