So, if all Keycloak nodes are down the user login sessions will be lost?
1. Start a few KC nodes. Some user logs into KC and the refresh token is
stored in the app.
2. Kill all the KC nodes, so, cache cannot be replicated across the
cluster. Re-start them again.
3. The app tries to refresh the token using the refresh token from step #1.
4. KC fails to refresh the token because there is no active session
associated with that token. So, user has to re-login.
Is this correct?
On 09/29/2017 06:49 AM, Bill Burke wrote:
TLDR; only offline tokens require database storage.
We have regular tokens and offline tokens. We do not store regular
tokens in memory or on disk. Instead, we have the concept of a login
session (UserSessionModel) which hold metadata about the login. These
sessions are stored in memory and within a distributed cache if in a
cluster. Access and Refresh tokens are minted, digitally signed and
validated and created against metadata within the login session.
Offline tokens are very long lived and thus require their login
session being persisted in a database.
On Thu, Sep 28, 2017 at 9:05 AM, Kishan Sagathiya <ksagathi(a)redhat.com> wrote:
> I am trying to figure out how Keycloak deals with expired sessions and how
> token lifespan affects Keycloak database size and performance.
> But I dont understand the directory structure and where to find the
> relevant code.
> If someone could give some pointers regarding this that would be great
> Thanks :)
> -Kishan Sagathiya
> keycloak-dev mailing list