Hi all,
It’s very easy to produce an out of memory. Just make thousand of requests to the login
page with a huge state parameter.
Keycloak allocates a new ClientSessionEntity for each request and stores it with the given
state parameter in a ConcurrentHashMap (if the MemUserSessionProvider is used).
Do you think it is necessary to create a new ClientSessionEntity before the user is
authenticated?
Wouldn’t it be possible to pass all necessary information via URL parameters? Create a
LoginToken similar to the IDToken, encrypt it with the realm private key, and add it to
the url as parameter.
Best
Michael