Next step performance
by Bill Burke
I'd like to have a hangout next week on this. There's really 4 areas to
focus on:
1. Set up a good performance test and get a baseline on current code.
2. Database caching. There are multiple approaches.
* Our caches will be read-mostly except for user session management.
* Write our own REST cache. My idea was to implement a new model
provider that delegates to the real underlying model provider. It would
send RESTful invalidation messages secured by keycloak in a clustered
environment. Maybe use Infinispan or some other local-only cache as the
backbone. I'm really really wary of using Infinispan (or other cache's)
clustering options. I'm not sure how well these guys work in cloud
clustered environments. And I'm not sure how well they've thought of
security.
* Use Hibernate 2nd level cache. Really wary of this as I don't know
how well Infinispan et. al. work in a cloud environment. I'd really
like something HTTP based and authenticated by Keycloak. I'm not sure
we'll be able to get the level of control here either that we need.
* Another reason for a custom cache, is, IMO, almost everything can be
stored in memory. Even users.
3. Clustering.
* Keycloak is not completely stateless. Specifically access codes are
stored in memory. We should be able to move this state information into
a cookie.
* User Session management is a huge issue as it is the only thing that
is write-mostly.
4. HTTP Cache-Control
* All themed static content should support a way to set up cache-control
headers.
* Admin REST api could do cache-control too if we had a way to determine
a version number or timestamp on model data. Not that important though
as, IMO, admin rest api isn't going to have a lot of volume.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9 years, 11 months
why doesnt import/expot use reps?
by Bill Burke
We now have two different models for dealing with imports and two
different code paths too. Why does import/export have its own json
model under model/api/...entities? Why weren't the JSON representations
in keycloak-core/.../representations used?
We already have code that converts between
keycloak-core/...representations and Models that is updated and
maintained. We now have double the work to keep the export/import stuff
in sync too!
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9 years, 11 months
Release status
by Stian Thorgersen
Where are we at with the release? From my point of view it looks like we're ready to go.
9 years, 11 months
Default timeouts
by Marek Posolda
Does it makes sense when ssoSessionIdleTimeout has bigger value than
accessTokenLifespan? To me not, as if accessToken expires then
refreshToken might be already outdated as lastSessionAccess is updated
during refreshing token.
I wonder if we should update timeouts for the realm used in examples
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/t...
? Currently accessToken timeout is 50 minutes but ssoSessionIdleTimeout
is not specified, so it has default value 10 minutes. Also
accessCodeLifespanUserAction has 100 minutes, which is quite big. wdyt?
I also think if we should change default value of ssoSessionIdleTimeout
to be something like: "accessTokenLifespan + 5 minutes" instead of 10
minutes to ensure that if people don't set it, it's bigger than
accessTokenLifespan.
Marek
9 years, 11 months
renamed master realm to "master"
by Bill Burke
FYI, I renamed the "keycloak-admin" realm to "master". I did this as
the admin console might be branded and this would be one less thing to
configure to change the name as "master" is pretty generic.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9 years, 11 months
Default admin password
by Marek Posolda
Currently there are many things for initialization of master realm
hardcoded in ApplianceBootstrap including the initial password of admin
user. Maybe it's not so big issue as user is required to change admin
password after first login, but still it's not ideal IMO because if
someone access admin console faster than you, he can change admin
password and gain full admin access.
I wonder if we can improve this? At least adding initial admin password
into keycloak-server.json may help a bit as people can change default
value from "admin" to something else. wdyt?
Marek
9 years, 11 months
