What's been brewing around in my mind awhile is optimization of the
token service. There's no reason everything couldn't be cached in
memory for each token service deployed. Even millions of users could be
cache. Memory is cheap.
The cache should be local only and only the Token Service should use it.
Admin console, or any other update operations would cause invalidation
of each cache on each machine by sending invalidation messages. These
invalidation messages would be REST invocation secured by Keycloak of
course! If we wanted to put in any guarantees, we could back these
invalidation messages with HornetQ or something.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com