Re: [keycloak-dev] Client and Service Account Session

Hi Pedro, In our application we are securing spring-actuator endpoints with a keycloak role. These endpoints are requested repeatedly (every 5 s) by an application called spring-boot-admin<https://github.com/codecentric/spring-boot-admin>;. For the request spring-boot-admin obtains an AccessToken. Because there is a session for each request, we have thousands of open sessions for the service account of spring-boot-admin. Any news, suggestions or solutions on avoiding these open sessions? Thanks. Jörg Zaunegger -----Ursprüngliche Nachricht----- Von: keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org> <keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> Im Auftrag von Pedro Igor Silva Gesendet: Montag, 13. November 2017 09:52 An: keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org> Betreff: RE: [keycloak-dev] Client and Service Account Session Hi, Currently, every time a confidential client tries to get a new access token from the token endpoint a new session is created on the server. This can lead to multiple active sessions for a single client/service account when doing multiple requests to token endpoint. To avoid that the client should store the access token/refresh token and use a refresh token when appropriate in case the access token has expired. That is fine. Now, suppose a confidential client is deployed and wants an access token. A new session will be created on the server. In case the application goes down for some reason (e.g.: container moved to a different node in kubernetes and without a persistent volume) and tries to get a new access token, we may end-up with two active sessions when asking for a new token after a re-deploy. What are your thoughts about re-using existing sessions when doing client credentials ? What could be the impact on clustering if we need (and we'll probably need) to update the session ? Another question would be ... Does make sense to also enable clients to obtain tokens without necessarily creating a session on the server ? I think that in most cases, you don't really want to keep track of sessions when doing client credentials. Regards. Pedro Igor