Hello,
This issue might happen for keycloak users who manage large number of Offline Access
sessions. IMO, resolving this issue might be beneficial for a lot of keycloak users.
I'll try to tackle with this issue, but I would be happy if any person who are
interesting in this issue discusses how to resolve it.
Regards,
Takashi Norimatsu
Hitachi, Ltd
----
From: 田畑義之 / TABATA,YOSHIYUKI <yoshiyuki.tabata.jy(a)hitachi.com>
Sent: Wednesday, October 30, 2019 9:22 AM
To: keycloak-dev <keycloak-dev(a)lists.jboss.org>
Cc: 乗松隆志 / NORIMATSU,TAKASHI <takashi.norimatsu.ws(a)hitachi.com>
Subject: User/ClientSession for Offline Access Management Issue (lost, never recovered and
unused one left on DB everlastingly)
Hello,
# This is Yoshiyuki Tabata writing on behalf of Takashi Norimatsu.
I've used the keycloak (4.8.3.Final) in clustering environment and managed about 500k
user sessions for Offline Access. I've encountered the following 2 problems :
[Problems]
(i) Still valid User/Client Session for Offline Access are lost, meaning lost on the
infinispan cache (offlineSessions, offlineClientSessions) of every keycloak node in the
cluster.
(ii) Such the lost User/Client Session for Offline Access are left on DB everlastingly.
As for (i), it seems to be reasonable for ordinal SSO UserSession/ClientSession. However,
it seems not to be reasonable for persisted User/Client Session for Offline Access on DB.
As for (ii), the size of unused resources on DB seems to increase so that it is the
problem.
I think such the problems seem to occur in the following clustering environment :
[Environment]
(a) Infinispan setting owners=1 for offlineSessions and offlineClientSessions
At least one keycloak node is down.
The actual case has been reported on
https://issues.jboss.org/browse/KEYCLOAK-11829.
(b) # of keycloak nodes is larger than the value of owners for offlineSessions and
offlineClientSessions
The keycloak nodes are down more than or equal to the value of owners simultaneously.
(c) # of keycloak nodes is equal to the value of owners for offlineSessions and
offlineClientSessions & The size of the caches of offlineSessions and
offlineClientSessions are bounded.
The active User/Client Session for Offline Access is evicted from the Infinispan cache.
I think the current workaround of these problems is as follows :
* Shut down all keycloak nodes.
* Reboot one keycloak node.
To do so, rebooted keycloak node recovers all of User/Client Session for Offline Access
from DB to infinispan cache.
However, as reported on
https://issues.jboss.org/browse/KEYCLOAK-11019, downtime tends to
be long in the situation that vast number of User/Client Session for Offline Access exist
in DB, and it seems not to be acceptable.
To get around it, what do you think about the following idea?
* If some User/Client Session for Offline Access are searched on the infinispan cache and
not found, try to search it on DB.
I know it seems to increase disk access, so needs to consider this point.
Regards,
Yoshiyuki Tabata (On behalf of Takashi Norimatsu)
Hitachi, Ltd.