Re: [keycloak-dev] client query caches getting complicated
On 2/18/2016 2:07 AM, Stian Thorgersen wrote:
Having two many joins (fetching everything about a realm in one
query)
is probably going to be bad for performance, especially if there are
loads of clients and roles. There can also be large difference between
different vendors.
Another thing in the future we should separate clients out into a
separate store. There could be thousands of clients or even more. So
they should be treated in a similar fashion to users. Does that have
impact on how we improve/refactor/fix caching now?
As I said before, OIDC logout queries *ALL* clients to obtain a list of
valid redirects to compare against the redirect-uri passed to the logout
endpoint. That's about the only very frequent, non-adminstrative
function that requires obtaining a list of all clients. We also really
need a way to figure out of a realm invalidation is the result of the
realm being removed or just updated. Otherwise, you'll be evicting
thousands of clients and other realm related items every time a realm is
updated. Actually, maybe we're better off not evicting clients on a
realm removal, and just registering invalidations for every client in
the realm instead.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com