I've sent PR https://github.com/keycloak/keycloak/pull/1726 with the
persistent changes for offline tokens according to what we discussed
with Stian.
Summary:
- Offline userSessions and clientSessiona are now stored in infinispan,
but also in DB.
- DB storage is done through UserSessionPersisterProvider SPI. I've
added implementations based on JPA and Mongo.
- When new offline userSession and clientSessions needs to be stored, it
is added to both infinispan and persistent storage through
UserSessionPersisterProvider. Revocation/removing of offline session is
also propagated to both infinispan and persister.
- All requests to auth-server (ie. refreshing token etc) interacts with
infinispan storage. Persister is used just during startup to pre-load
infinispan storage with the sessions from DB. This allows that sessions
survive server restart.
- New cache "offlineSessions" was added to the Infinispan. This is
separate to the "sessions" cache as both can have stored sessions with
same IDs, so this is to not clash with each other.
- I've looked at how to best implement the pre-loading of infinispan
with the sessions from persister storage. The infinispan builtin
CacheStore/CacheLoader was my first attempt, however it turned to not
very good for various reasons (For example CacheStore SPI is
incompatible between Infinispan 5 and 6, same for the format of data
etc). In the end I used infinispan DistributionService
http://infinispan.org/docs/5.0.x/user_guide/user_guide.html#_infinispan_distributed_execution_framework
. The impl is done in a way that parallel startup of cluster nodes is
not a problem, but an advantage as each cluster node prefills different
sessions. For example if you have 1000.000 userSessions in DB, the node1
will preload around 500.000 sessions and node2 another 500.000 sessions.
If one of the nodes crashes at startup, it's not a problem as well, even
if it's coordinator node. Similarly when new node joins cluster when
other nodes are still starting and pre-loading, new node will
immediatelly start to help with pre-loading. I wonder we can reuse this
stuff for other long-running tasks as well (for example export/import of
big number of users at startup etc)
- MemUserSessionProvider was updated too, so EAP 6.4 in local mode works
fine as well.
- The persister saves offline sessions data into DB partially serialized
into JSON. Just the columns, which are needed for quick DB search (id,
realm_id, user_id, client_id) are saved as DB columns. I think this
should simplify migration and amount of needed work when new field is
added to UserSession / ClientSession.
- It's possible to have more offline sessions / tokens per user+client
Still TODO:
- Add "Offline token idle timeout" . The offline sessions not refreshed
during specified time will be cleared from both infinispan and storage.
Not sure about default value, 7 days?
- Export/import of offline sessions.
- Minor Juca's reported bug: https://issues.jboss.org/browse/KEYCLOAK-1959
- Reduce some INFO logging I've added
- Maybe more if you have additional feedback?
I expect to have it done by Thursday. It seems I will need to postpone
some LDAP enhancements I planned for this release :/
But none of them are critical. Still need to doublecheck export/import
and fix fuse for this release.
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev