<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Hi Stian,
<div class=""><br class="">
</div>
<div class="">I realise that. However so far it is working ok for us. We do the re-importing because we really want a continuous delivery pipeline and doing run-time configuration is very different from that. We really only perform run-time configuration to
develop and test stuff, immediately after which we export it so that we can update the resulting realm JSON in Git. We work in a similar fashion with other products like content management systems where we make a very clear distinction between configuration
(=source code) and run-time managed content. Our CMS of choice (Magnolia) offers a nice upgrade mechanism that we use to re-import all our configuration on every upgrade.</div>
<div class=""><br class="">
</div>
<div class="">No, we do not re-import users. We see users (just like user groups, role mappings, group mappings and of course sessions) as run-time data (‘content’ to make the link to a CMS). </div>
<div class=""><br class="">
</div>
<div class="">In our set-up we store all this run-time data in Active Directory (well, except the sessions, which we do not store persistently yet) and therefore this re-importing in the Keycloak database works for us (to some degree).</div>
<div class=""><br class="">
</div>
<div class="">A question for you/the Keycloak team: how do you see Keycloak fit into a fully automated continuous delivery pipeline? Most configuration changes in Keycloak are so fundamental to the set-up that I cannot see that you would want to change these
on the fly on a production environment at all. It would be very easy to break stuff in my opinion.</div>
<div class=""><br class="">
</div>
<div class="">cheers</div>
<div class=""><br class="">
</div>
<div class="">Edgar</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On 02 Mar 2016, at 14:00, Stian Thorgersen <<a href="mailto:sthorger@redhat.com" class="">sthorger@redhat.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="ltr" class="">Re-importing everything on each startup is not really something we're supporting. Keycloak wasn't really designed for that and the focus is more on run-time configuration. Do you re-import users as well?</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On 2 March 2016 at 13:39, Edgar Vonk - <a href="http://info.nl" class="">
Info.nl</a> <span dir="ltr" class=""><<a href="mailto:Edgar@info.nl" target="_blank" class="">Edgar@info.nl</a>></span> wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word" class="">Thanks Stian!
<div class=""><br class="">
</div>
<div class="">We will have a look at both options.</div>
<div class=""><br class="">
</div>
<div class="">Concerning clustering we have a different challenge which is that we currently re-import all Keycloak realm data on every start up of Keycloak (and because we do continuous delivery and are developing actively this is multiple times a day). This
because we treat all (realm) configuration as source code for which our Git repo is leading.</div>
<div class=""><br class="">
</div>
<div class="">Effectively this means that we recreate the Keycloak database for every new deployment and of course a cluster is not going to help us here when it comes to uptime. Not sure how to deal with this as yet. Ideally we would want some sort of realm
update/patch mechanism instead of a full import but that sounds rather complex to implement.</div>
<div class=""><br class="">
</div>
<div class="">cheers</div>
<div class="">
<div class="h5">
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On 02 Mar 2016, at 13:23, Stian Thorgersen <<a href="mailto:sthorger@redhat.com" target="_blank" class="">sthorger@redhat.com</a>> wrote:</div>
<br class="">
<div class="">
<div dir="ltr" class="">The tokens themselves are not stored, but can be verified by Keycloak as long as the user session is active. So your question is how to make user sessions persisted. We do not support persisting user sessions at the moment. You have
two choices:
<div class=""><br class="">
</div>
<div class="">1. Add an additional node and configure set owners to 2 for the user session caches, or change it to a replicated cache. See the clustering section in the docs for more details.</div>
<div class="">2. Try to configure Infinispan to persist the sessions. See <a href="https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem" target="_blank" class="">https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem</a> for more details.</div>
</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On 1 March 2016 at 20:56, Edgar Vonk - <a href="http://info.nl/" target="_blank" class="">
Info.nl</a> <span dir="ltr" class=""><<a href="mailto:Edgar@info.nl" target="_blank" class="">Edgar@info.nl</a>></span> wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word" class="">Hi all,
<div class=""><br class="">
</div>
<div class="">What would we need to do to make Keycloak user sessions persistent in the database?</div>
<div class=""><br class="">
</div>
<div class="">I think the information in: <a href="http://lists.jboss.org/pipermail/keycloak-user/2015-April/001921.html" target="_blank" class="">http://lists.jboss.org/pipermail/keycloak-user/2015-April/001921.html</a> is not relevant anymore with Keycloak
1.9.0? Specifically:</div>
<div class=""><br class="">
</div>
<div class="">
<pre style="background-color:rgb(255,255,255)" class="">"userSessions": {
"provider": "jpa"
}
</pre>
</div>
<div class=""><br class="">
</div>
<div class="">Does not seem to work (“Failed to find provider jpa for userSessions”). User sessions are now managed using Infinispan by default if I understand correctly: <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/clustering.html#d4e3292" target="_blank" class="">http://keycloak.github.io/docs/userguide/keycloak-server/html/clustering.html#d4e3292</a> ?</div>
<div class=""><br class="">
</div>
<div class="">Is there a way to make user sessions persistent? </div>
<div class=""><br class="">
</div>
<div class="">Our issue is that we send out a lot of activation (‘update password’) emails from our (single) Keycloak server to new users and since we have a continuous delivery pipeline Keycloak does down and up quite a bit and every time it restarts all temporary
log in tokens used for these update password actions are lost (since they are stored in memory only). And if I understand correctly these tokens are actually a sort of user sessions.</div>
<div class=""><br class="">
</div>
<div class="">cheers</div>
<span class=""><font color="#888888" class="">
<div class=""><br class="">
</div>
<div class="">Edgar</div>
</font></span><span class="">
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On 29 Feb 2016, at 17:52, Edgar Vonk - <a href="http://info.nl/" target="_blank" class="">
Info.nl</a> <<a href="mailto:Edgar@info.nl" target="_blank" class="">Edgar@info.nl</a>> wrote:</div>
<br class="">
<div class="">
<div class="">Hi,<br class="">
<br class="">
See if I understand this correctly: in the default set up of Keycloak sessions and temporary tokens are not persisted in the Keycloak database? So consider this scenario:<br class="">
<br class="">
1/ login as admin to master realm<br class="">
2/ go to Users - Credentials and send a ‘Update Password’ reset action email<br class="">
3/ user receives an email with a link with a unique token to update his/her password in Keycloak<br class="">
4/ Keycloak server is restarted for whatever reason<br class="">
5/ the temporary ‘login action token’ no longer exists and the link from 3/ no longer works<br class="">
<br class="">
Is this correct and expected behaviour?<br class="">
<br class="">
And if so, can somebody maybe point us in the direction to solve this? I.e. by making sessions/tokens by persistent I guess.<br class="">
<br class="">
cheers<br class="">
<br class="">
Edgar</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</span></div>
<br class="">
_______________________________________________<br class="">
keycloak-user mailing list<br class="">
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank" class="">keycloak-user@lists.jboss.org</a><br class="">
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank" class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br class="">
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>