[keycloak-user] Shared datastore?

Nicolas Ocquidant nocquidant at gmail.com
Thu Nov 8 11:35:49 EST 2018 

My requirements are the following: store tokens emitted by KC during one
year.

I don't know how many users there are, but here are the number I get:
  * the number of connections a week is about 700k.
  * the number of session refresh a week is about 200k.

I approximated around 1M of sessions a week, thus 52M a year.
In memory, a user session has been estimated around 4KB (about 1KB in
file/DB).

But I guess a refresh does not create another session isn't it? And maybe
it's possible to ask KC to delete previous emitted tokens when a new one is
created for a same user?

If yes, my estimation is probably a little bit too high here, but I
certainly have several millions of tokens to keep (and maybe dozens of
millions).

Thanks
--nick

Le mer. 7 nov. 2018 à 18:17, Nicolas Ocquidant <nocquidant at gmail.com> a
écrit :

> Hi,
>
> According to Infinispan, when passivation is disabled, every update to the
> cache should always write to the store.
>
> But I can't manage to get it work with Keycloak. If I disable passivation,
> my SQL store (Postgres) stays empty, even if the cache is full.
>
> So, if passivation is needed for Keycloak to write to the DB, it means
> that the use of a shared DB is not possible...
>
> But this leads to another issue for me. Enable passivation without a
> shared DB seems to imply that either 'fetch-state' or 'purge' should be
> enabled on startup, in order for the cache to not contain stale entries.
>
> 15:27:44,626 WARN
> [org.infinispan.configuration.cache.AbstractStoreConfigurationBuilder] (MSC
> service thread 1-6) ISPN000149: Fetch persistent state and purge on startup
> are both disabled, cache may contain stale entries on startup
>
> As I need to keep millions of sessions, this will considerably slow down
> the startup of my node (when started again after a crash for instance).
>
> So, is shared datastore allowed in Keycloak? If yes, how to enable it?
> Otherwise what other options do I have to improve my startup time, if
> millions of sessions are in the store?
>
> Thanks
> --nick
>

More information about the keycloak-user mailing list