<div dir="ltr"><div><div><div>Thank you for the prompt response Stian.<br><br>> adding an eviction policy to the realmVersions cache.<br><br></div>This was my impression after reading the ticket too, but I was not sure, because according pull request looks a little bit more complicated.<br></div>We will give a try to this Keycloak setting in the production environment tomorrow.<br></div><div>We are going to enable Infinispan statistics additionally to get more information.<br></div><div><br>> Is there any errors in the logs? <br><br></div>We could identify only errors duiring the service logout until now:<br><br>
<pre style="font-size:1em;margin:0px 10px;width:auto;padding:0px"><span style="color:black;font-family:"Consolas","Bitstream Vera Sans Mono","Courier New",Courier,monospace!important">Stack Trace:</span></pre>
<pre style="font-size:1em;margin:0px 10px;width:auto;padding:0px"><span style="color:black;font-family:"Consolas","Bitstream Vera Sans Mono","Courier New",Courier,monospace!important">org.keycloak.adapters.ServerRequest.error(ServerRequest.java:228)</span></pre>
<pre style="font-size:1em;margin:0px 10px;width:auto;padding:0px"><span style="color:black;font-family:"Consolas","Bitstream Vera Sans Mono","Courier New",Courier,monospace!important">org.keycloak.adapters.ServerRequest.invokeLogout(ServerRequest.java:82)</span></pre>
<pre style="font-size:1em;margin:0px 10px;width:auto;padding:0px"><span style="color:black;font-family:"Consolas","Bitstream Vera Sans Mono","Courier New",Courier,monospace!important">com.nhp.ts.b2b.services.auth.KcAdminServiceBean.serviceAccountLogout(KcAdminServiceBean.java:330)</span></pre>
<pre style="font-size:1em;margin:0px 10px;width:auto;padding:0px"><span style="color:black;font-family:"Consolas","Bitstream Vera Sans Mono","Courier New",Courier,monospace!important">com.nhp.ts.b2b.services.auth.KcAdminServiceBean.executeAPIpostMethod(KcAdminServiceBean.java:545)</span></pre>
<pre style="font-size:1em;margin:0px 10px;width:auto;padding:0px"><span style="color:black;font-family:"Consolas","Bitstream Vera Sans Mono","Courier New",Courier,monospace!important">sun.reflect.GeneratedMethodAccessor10512.invoke(Unknown Source)</span></pre>
...<br><div><br>> What is the status code returned with the empty page?<br><br></div><div>Our web application unfortunately does not log status code and error message. Exception message is null in case of service account logout. We will roll out a fix for this with the next web application release on Thursday this week.<br></div><div><br>Additionally we are going to switch from the OIDC logout endpint method to the ServletRequest.logout() method because it seems to be a more consistent way for a web application which is already protected by Keycloak EAP 6 adapters, isn't it?<br><br></div><div>Additional details about the experienced behaviour: the empty page is our web application internal page. In Google Chrome webbrowser I see for example that the initiator of the last POST request to this internal page was <a href="http://www.googletagmanager.com/gtm.js?id=.">www.googletagmanager.com/gtm.js?id=.</a>.. Could be this a problem?<br></div><div>If I refresh this empty page, I'm back in the web application (still logged in).<br></div><div>But if I call OCID logout endpoint (/realms/${realm}/protocol/openid-connect/logout) in the same browser myself and then refresh the empty page, then I'm redirected to the KC login screen.<br><br></div><div>Any ideas?<br></div><div><br></div><div>Apart from that I hope that we will get more information after the release on Thursday.<br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-07-11 7:37 GMT+02:00 Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>You can relatively easily try though by adding an eviction policy to the realmVersions cache. I found that with roughly a million users there would be around 500Mb of memory consumed, which will run you into issues with the default settings if you have that many users login over a space of a day and a half.</div><div><br></div><div>Empty page could be due to timeout. Is there any errors in the logs? What is the status code returned with the empty page?</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 8 July 2016 at 10:40, Valerij Timofeev <span dir="ltr"><<a href="mailto:valerij.timofeev@gmail.com" target="_blank">valerij.timofeev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div><div><div><div><div><div><div>Hi Stian,<br><br></div>You are the assignee in <a href="https://issues.jboss.org/browse/KEYCLOAK-3202" rel="12635573" target="_blank">KEYCLOAK-3202</a>, so I addressed this email to you directly.<br><br></div>I guess that this issue could be the cause of trouble in our production environment.<br><br>There are 4 EAP-6 nodes with Keycloak adapters and 2 Keycloak 1.9.4 standalone servers running in 2 clusters respectively.<br><br></div>We experience logout failures approximately after one and a half days of operation. <br>Restarting EAP 6 nodes temporary resolves the logout problem.<br><br></div>Durable load tests in out test environment showed that login and logout of existing users don't result in above behaviour.<br></div>We added to the durable load test additional scenario creating new users and were able to reproduce logout failure: users are getting empty page and not the login screen as expected. Page reload navigates back into the protected web application .<br><br></div>Logout is accomplished in a Java web applictaion by calling OIDC logout endpoint:<br><br><i>FacesContext<br> .getCurrentInstance()<br> .getExternalContext()<br> .redirect(keycloakDeployment.getLogoutUrl().queryParam("redirect_uri", redirectURL).toTemplate());<br></i></div><br>Logout is initiated via h:commandLink, so I suppose that the OIDC logout endpoint is called via the GET method. Should we use the POST method instead?<br></div><br>Has servlet logout any advantages?<br><br><i>((HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest()).logout();<br><br></i></div>I'd appreciate quick response<i>, </i>because restarting production EAP cluster every day is not a pleasant option ;-)<span lang="en"><span><br><br></span></span></div><span lang="en"><span>Thank you in advance<br><br></span></span></div><span lang="en"><span>Kind regards<span><font color="#888888"><br></font></span></span></span></div><span><font color="#888888"><span lang="en"><span>Valerij Timofeev<br></span></span></font></span></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>